On 01/30/2010 12:38 PM, Steve Blackwell wrote:
I have been getting alot of AVCs that are related to dbus. A quick
check
shows that I have 2 dbus daemons running.
$ ps aux | grep dbus
dbus 1615 0.0 0.1 14160 1880 ? Ssl 11:53 0:01
dbus-daemon --system
gdm 2385 0.0 0.0 3312 580 ? S 11:54
0:00 /usr/bin/dbus-launch --exit-with-session
steve
2650 0.0 0.0 3312 576 ? S 11:58 0:00 dbus-launch
--sh-syntax --exit-with-session
steve 2652 0.1 0.1 13528 1484 ? Ssl 11:58
0:01 /bin/dbus-daemon --fork --print-pid 7 --print-address 9 --session
steve 3154 0.0 0.0 4192 708 pts/0 S+ 12:16 0:00 grep
dbus
The one that is owned by dbus has a system_u:system_r:system_dbusd_t
context.
The one that is owned by me has a unconfined_u:unconfined_r:unconfined_t
context.
First question: should I really have 2 dbus-daemons?
One AVC says that the dbus daemon owned by dbus can't search
unconfined_t. It was trying to search /proc/2963 which was the
gpk-update-viewer which was running unconfined. (I'm running SELinux in
permissive mode)
$ ps -efZ | grep 2964
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 steve 2963 1 3
12:05 ? 00:00:07 gpk-update-viewer
Second question: does dbus have any reason to look at gpk-update
viewer?
Clearly, it needs to record the fact that the system was updated but
why does it need to check the update viewer for that?
Last question: how do I fix this? I don't have any modified or
additional SELinux policies so I would have thought this would work
"out-of-the-box".
Here is the raw audit message:
node=steve.blackwell type=AVC msg=audit(1264871141.507:132): avc:
denied { search } for pid=1615 comm="dbus-daemon" name="2963"
dev=proc
ino=17982 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=dir
$ sestatus
SELinux status: enabled
SELinuxfs mount: /selinux
Current mode: permissive
Mode from config file: permissive
Policy version: 24
Policy from config file: targeted
$ rpm -qa | grep selinux
libselinux-2.0.80-1.fc11.i586
selinux-policy-targeted-3.6.12-93.fc11.noarch
libselinux-utils-2.0.80-1.fc11.i586
libselinux-devel-2.0.80-1.fc11.i586
libselinux-python-2.0.80-1.fc11.i586
selinux-policy-3.6.12-93.fc11.noarch
Thanks,
Steve
--
selinux mailing list
selinux(a)lists.fedoraproject.org
https://admin.fedoraproject.org/mailman/listinfo/selinux
This is allowed in the Rawhide and F12 policies.
Dbus is trying to read the /proc/PID/cmdline of the process that is communicating with it.
(I believe).
It is a bug in F11 policy that it is not allowed.