Summary: | sys-app/dbus with libaudit support causes crash on selinux | ||
---|---|---|---|
Product: | Gentoo Linux | Reporter: | Jory A. Pratt <anarchy> |
Component: | [OLD] Core system | Assignee: | Freedesktop bugs <freedesktop-bugs> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | h.v.bruinehsen, selinux |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | http://pkgs.fedoraproject.org/gitweb/?p=dbus.git;a=blob_plain;f=0001-selinux-when-dropping-capabilities-only-include-AUDI.patch;hb=HEAD | ||
Whiteboard: | |||
Package list: | Runtime testing required: | --- | |
Attachments: |
Output of strace
Output of DBUS_VERBOSE=1 with --system only Output of DBUS_VERBOSE=1 with --system and --nofork See comment 9 for more info selinux suppport fixed :) |
Description
Jory A. Pratt
2012-02-26 23:47:48 UTC
SELinux by itself (not speaking about DBus here) does not require libaudit. I don't know if libaudit support is considered mandatory by DBus developers when enabling SELinux support, but if it's not, I would recommend to drop this dependency (or at least have it depending on USE=audit, like we do with sys-apps/policycoreutils). Can you reproduce this (or give me some pointers on using it)? testsys ~ # run_init rc-service dbus status Authenticating root. * status: started testsys ~ # ps -efZ | grep dbus | grep -v grep system_u:system_r:system_dbusd_t 102 29962 1 0 21:16 ? 00:00:00 /usr/bin/dbus-daemon --system testsys ~ # sestatus SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: strict Current mode: enforcing Mode from config file: enforcing Policy MLS status: disabled Policy deny_unknown status: denied Max kernel policy version: 26 As per Anarchy's investigation, https://bugzilla.redhat.com/show_bug.cgi?id=717147 might prove interesting to try out I tried the patch attached to the bug at redhat: though it seems to fix " avc: netlink poll: error 4" dbus doesn't start nonetheless. I'll attach the output of strace dbus-daemon --system, DBUS_VERBOSE=1 dbus-daemon --system and DBUS_VERBOSE=1 dbus-daemon --system --nofork. (DBUS_VERBOSE is only available when compiled with debug useflag). Note that dbus --session works for me. Created attachment 312881 [details]
Output of strace
Created attachment 312883 [details]
Output of DBUS_VERBOSE=1 with --system only
Created attachment 312885 [details]
Output of DBUS_VERBOSE=1 with --system and --nofork
The following line is interesting to work from: """ Failed to start message bus: Failed to drop capabilities: Operation not permitted """ In the dbus code, this is at bus/selinux.c: """ if (_dbus_geteuid () == 0) { int rc; capng_clear (CAPNG_SELECT_BOTH); capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, CAP_AUDIT_WRITE); rc = capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP); if (rc) { switch (rc) { default: dbus_set_error (error, DBUS_ERROR_FAILED, "Failed to drop capabilities: %s\n", _dbus_strerror (errno)); break; """ The capng_change_id() function doesn't contain any SELinux-awareness, so I would imagine that the "Operation not permitted" would result in an AVC denial or two. Can you disable dontaudits (semodule -DB) and reproduce? The denials should be visible in avc.log or audit.log. If not, it's wise to take a look at the dmesg output too. After some testing I found 2 problems causing this mess: First: Unless DBUS_DEBUG_OUTPUT is set as a environment variable, the "dup2 (dev_null_fd, 2);" call in line 124 in dbus/dbus-sysdeps-util-unix.c seems to close or invalidate the filedescriptor of the pid file which leads to the error "No pid pipe to write to". Second: In bus/selinux.c in line 1053 the statement "capng_update (CAPNG_ADD, CAPNG_EFFECTIVE | CAPNG_PERMITTED, AP_AUDIT_WRITE);" causes the function call "capng_change_id (uid, gid, CAPNG_DROP_SUPP_GRP); " to fail (rc gets assigned -9) which causes the error "Failed to drop capabilities: Operation not permitted". I've got a workaround for both issues: the first is eleminated by commenting out the statement for the debug message, the second is solved by exchanging the "|" with a "&". So far it works for me this way. I'll attach a patch. Created attachment 313329 [details, diff] See comment 9 for more info Created attachment 313389 [details, diff]
selinux suppport fixed :)
I have tested it locally should be checked by a few others before committed to tree.
(In reply to comment #11) > Created attachment 313389 [details, diff] [details, diff] > selinux suppport fixed :) > > I have tested it locally should be checked by a few others before committed > to tree. This for 1.5.x branch or 1.4.x branch? Already in 1.5.x branch? Where is this from? Is there an upstream bug? From Fedora git? ty :) (In reply to comment #12) > (In reply to comment #11) > > Created attachment 313389 [details, diff] [details, diff] [details, diff] > > selinux suppport fixed :) > > > > I have tested it locally should be checked by a few others before committed > > to tree. > > This for 1.5.x branch or 1.4.x branch? Already in 1.5.x branch? Where is > this from? Is there an upstream bug? From Fedora git? > > ty :) Fedora git, will apply to both 1.4 and 1.5, I have not checked to see if it was pushed upstream yet. Works for me too. And since it's similar to my patch(the location is the same and it just makes the capabilities drop conditional), I dare to say that it should work for 1.4.20 and 1.5.12 (since my patch fixed both and iirc there wasn't even an offset in the code). Applied to ~arch as 1.5.12-r1 (revision bump) and for stable 1.4.20 (no revision bump) +*dbus-1.5.12-r1 (29 May 2012) + + 29 May 2012; Samuli Suominen <ssuominen@gentoo.org> dbus-1.4.20.ebuild, + +dbus-1.5.12-r1.ebuild, + +files/dbus-1.5.12-selinux-when-dropping-capabilities-only-include-AUDI.patch: + When dropping capabilities only include AUDIT caps if we have them wrt + #405975. This makes audit/selinux enabled D-Bus work in a Linux container. + Thanks to Jory A. Pratt and Hinnerk van Bruinehsen. |