When selinux is enabled it enabled libaudit support, this results in a crash of dbus leaving many processes completely busted. I have not been able to get a core dump or even a bt of the failure. Portage 2.1.10.49 (hardened/linux/amd64/no-multilib/selinux, gcc-4.6.2, glibc-2.14.1-r2, 3.2.7-hardened x86_64) ================================================================= System Settings ================================================================= System uname: Linux-3.2.7-hardened-x86_64-Intel-R-_Core-TM-_i5_CPU_M_560_@_2.67GHz-with-gentoo-2.1 Timestamp of tree: Sun, 26 Feb 2012 23:00:01 +0000 app-shells/bash: 4.2_p20 dev-lang/python: 2.7.2-r3, 3.2.2 dev-util/cmake: 2.8.7-r3 dev-util/pkgconfig: 0.26 sys-apps/baselayout: 2.1 sys-apps/openrc: 0.9.9.2 sys-apps/sandbox: 2.5 sys-devel/autoconf: 2.13, 2.68 sys-devel/automake: 1.11.3 sys-devel/binutils: 2.22-r1 sys-devel/gcc: 4.6.2 sys-devel/gcc-config: 1.5-r2 sys-devel/libtool: 2.4.2 sys-devel/make: 3.82-r3 sys-kernel/linux-headers: 3.2-r1 (virtual/os-headers) sys-libs/glibc: 2.14.1-r2 Repositories: gentoo anarchy mozilla hardened-dev ACCEPT_KEYWORDS="amd64 ~amd64" ACCEPT_LICENSE="* -@EULA" CBUILD="x86_64-pc-linux-gnu" CFLAGS="-O2 -march=native -pipe -Wimplicit-function-declaration" CHOST="x86_64-pc-linux-gnu" CONFIG_PROTECT="/etc /usr/share/gnupg/qualified.txt" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/dconf /etc/env.d /etc/fonts/fonts.conf /etc/gconf /etc/gentoo-release /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -march=native -pipe -Wenum-compare" DISTDIR="/usr/portage/distfiles" EMERGE_DEFAULT_OPTS="--with-bdeps=y --quiet-build=y" FEATURES="assume-digests binpkg-logs distlocks ebuild-locks fixlafiles news parallel-fetch protect-owned sandbox sesandbox sfperms sign strict unknown-features-warn unmerge-logs unmerge-orphans userfetch userpriv usersandbox" FFLAGS="" GENTOO_MIRRORS="http://distfiles.gentoo.org" LANG="en_US.UTF-8" LC_ALL="en_US.utf8" LDFLAGS="-Wl,-O1 -Wl,--as-needed -Wl,-O1 -Wl,--hash-style=gnu -Wl,--sort-common" MAKEOPTS="-j5 -s --no-print-directory" PKGDIR="/usr/portage/packages" PORTAGE_COMPRESS="xz" PORTAGE_COMPRESS_FLAGS="-z -9 -f -S .xz" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --human-readable --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp/tmpfs" PORTDIR="/usr/portage" PORTDIR_OVERLAY="/home/gentoo /home/mozilla /home/hardened-dev" SYNC="rsync://rsync.gentoo.org/gentoo-portage" USE="X a52 aac alsa amd64 apng audit berkdb bidi bluetooth bzip2 cairo cdda cdio cli consolekit corefonts cracklib crypt cxx dbus djvu dri dts dvd encode ffmpeg flac freetype gdbm gpm gtk gtk3 hardened httpd iconv jpeg justify libffi libssh2 live lzma mad matroska mmx modules mp3 mpeg mudflap ncurses nptl nptlonly nsplugin nss ogg oggvorbis open_perms opengl openmp pam pam_ssh pango pax_kernel pcre png policykit pppd python3 readline sdl selinux session spell sqlite sse sse2 sse3 ssl ssse3 stream svg sysfs syslog tcpd theora thunar tiff truetype udev unicode urandom usb vcd vlm vorbis vpx x264 xinerama xorg xv xvid zlib" ALSA_CARDS="hda-intel" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" CALLIGRA_FEATURES="kexi words flow plan stage tables krita karbon braindump" CAMERAS="ptp2" COLLECTD_PLUGINS="df interface irq load memory rrdtool swap syslog" ELIBC="glibc" GPSD_PROTOCOLS="ashtech aivdm earthmate evermore fv18 garmin garmintxt gpsclock itrax mtk3301 nmea ntrip navcom oceanserver oldstyle oncore rtcm104v2 rtcm104v3 sirf superstar2 timing tsip tripmate tnt ubx" GRUB_PLATFORMS="pc" INPUT_DEVICES="evdev synaptics" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" PHP_TARGETS="php5-3" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="intel" XTABLES_ADDONS="quota2 psd pknock lscan length2 ipv4options ipset ipp2p iface geoip fuzzy condition tee tarpit sysrq steal rawnat logmark ipmark dhcpmac delude chaos account" Unset: CPPFLAGS, CTARGET, INSTALL_MASK, LINGUAS, PORTAGE_BUNZIP2_COMMAND, PORTAGE_RSYNC_EXTRA_OPTS ================================================================= Package Settings ================================================================= sys-apps/dbus-1.4.18 was built with the following: USE="X (selinux) -debug -doc -static-libs -test" CFLAGS="-O2 -march=native -pipe -Wimplicit-function-declaration -rdynamic" CXXFLAGS="-O2 -march=native -pipe -Wenum-compare -rdynamic" I been able to workaround this issue by modifing the ebuild to disable libaudit support until more debugging can be completed.
SELinux by itself (not speaking about DBus here) does not require libaudit. I don't know if libaudit support is considered mandatory by DBus developers when enabling SELinux support, but if it's not, I would recommend to drop this dependency (or at least have it depending on USE=audit, like we do with sys-apps/policycoreutils).
Can you reproduce this (or give me some pointers on using it)? testsys ~ # run_init rc-service dbus status Authenticating root. * status: started testsys ~ # ps -efZ | grep dbus | grep -v grep system_u:system_r:system_dbusd_t 102 29962 1 0 21:16 ? 00:00:00 /usr/bin/dbus-daemon --system testsys ~ # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: strict Current mode: enforcing Mode from config file: enforcing Policy MLS status: disabled Policy deny_unknown status: denied Max kernel policy version: 26
As per Anarchy's investigation, https://bugzilla.redhat.com/show_bug.cgi?id=717147 might prove interesting to try out
I tried the patch attached to the bug at redhat: though it seems to fix " avc: netlink poll: error 4" dbus doesn't start nonetheless. I'll attach the output of strace dbus-daemon --system, DBUS_VERBOSE=1 dbus-daemon --system and DBUS_VERBOSE=1 dbus-daemon --system --nofork. (DBUS_VERBOSE is only available when compiled with debug useflag). Note that dbus --session works for me.
Created attachment 312881 [details] Output of strace
Created attachment 312883 [details] Output of DBUS_VERBOSE=1 with --system only
Created attachment 312885 [details] Output of DBUS_VERBOSE=1 with --system and --nofork
The following line is interesting to work from: """ Failed to start message bus: Failed to drop capabilities: Operation not permitted """ In the dbus code, this is at bus/selinux.c: """ if (_dbus_geteuid () == 0) { int rc; capng_clear (CAPNG_SELECT_BOTH); capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE); rc = capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP); if (rc) { switch (rc) { default: dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to drop capabilities: %s\n", _dbus_strerror (errno)); break; """ The capng_change_id() function doesn't contain any SELinux-awareness, so I would imagine that the "Operation not permitted" would result in an AVC denial or two. Can you disable dontaudits (semodule -DB) and reproduce? The denials should be visible in avc.log or audit.log. If not, it's wise to take a look at the dmesg output too.
After some testing I found 2 problems causing this mess: First: Unless DBUS_DEBUG_OUTPUT is set as a environment variable, the "dup2 (dev_null_fd, 2);" call in line 124 in dbus/dbus-sysdeps-util-unix.c seems to close or invalidate the filedescriptor of the pid file which leads to the error "No pid pipe to write to". Second: In bus/selinux.c in line 1053 the statement "capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, AP_AUDIT_WRITE);" causes the function call "capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP); " to fail (rc gets assigned -9) which causes the error "Failed to drop capabilities: Operation not permitted". I've got a workaround for both issues: the first is eleminated by commenting out the statement for the debug message, the second is solved by exchanging the "|" with a "&". So far it works for me this way. I'll attach a patch.
Created attachment 313329 [details, diff] See comment 9 for more info
Created attachment 313389 [details, diff] selinux suppport fixed :) I have tested it locally should be checked by a few others before committed to tree.
(In reply to comment #11) > Created attachment 313389 [details, diff] [details, diff] > selinux suppport fixed :) > > I have tested it locally should be checked by a few others before committed > to tree. This for 1.5.x branch or 1.4.x branch? Already in 1.5.x branch? Where is this from? Is there an upstream bug? From Fedora git? ty :)
(In reply to comment #12) > (In reply to comment #11) > > Created attachment 313389 [details, diff] [details, diff] [details, diff] > > selinux suppport fixed :) > > > > I have tested it locally should be checked by a few others before committed > > to tree. > > This for 1.5.x branch or 1.4.x branch? Already in 1.5.x branch? Where is > this from? Is there an upstream bug? From Fedora git? > > ty :) Fedora git, will apply to both 1.4 and 1.5, I have not checked to see if it was pushed upstream yet.
Works for me too. And since it's similar to my patch(the location is the same and it just makes the capabilities drop conditional), I dare to say that it should work for 1.4.20 and 1.5.12 (since my patch fixed both and iirc there wasn't even an offset in the code).
Applied to ~arch as 1.5.12-r1 (revision bump) and for stable 1.4.20 (no revision bump) +*dbus-1.5.12-r1 (29 May 2012) + + 29 May 2012; Samuli Suominen <ssuominen@gentoo.org> dbus-1.4.20.ebuild, + +dbus-1.5.12-r1.ebuild, + +files/dbus-1.5.12-selinux-when-dropping-capabilities-only-include-AUDI.patch: + When dropping capabilities only include AUDIT caps if we have them wrt + #405975. This makes audit/selinux enabled D-Bus work in a Linux container. + Thanks to Jory A. Pratt and Hinnerk van Bruinehsen.
