Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 1364485 - dbus doesn't resolve SELinux classes and permission correctly
Summary: dbus doesn't resolve SELinux classes and permission correctly
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 7
Classification: Red Hat
Component: dbus
Version: 7.3
Hardware: Unspecified
OS: Unspecified
unspecified
high
Target Milestone: rc
: ---
Assignee: David King
QA Contact: Desktop QE
URL:
Whiteboard:
: 1328014 1362655 (view as bug list)
Depends On:
Blocks: 1362273 1363977 1363989
TreeView+ depends on / blocked
 
Reported: 2016-08-05 13:29 UTC by Petr Lautrbach
Modified: 2016-11-04 06:41 UTC (History)
5 users (show)

Fixed In Version: dbus-1.6.12-15.el7
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2016-11-04 06:41:21 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2016:2453 normal SHIPPED_LIVE dbus bug fix and enhancement update 2016-11-03 14:04:29 UTC

Description Petr Lautrbach 2016-08-05 13:29:57 UTC
Description of problem:
The current version of DBUS in rhel-7.3 uses constants from selinux/flask.h. This is a deprecated method and it doesn't work correctly with the rebased SELinux userspace in RHEL-7.3. DBUS generates audit messages with untranslated classes and permissions like:

type=USER_AVC msg=audit(08/04/2016 10:24:46.713:367) : pid=549 uid=dbus auid=unset ses=unset subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { 0x2 } for msgtype=method_return dest=:1.95 spid=699 tpid=18677 scontext=system_u:system_r:NetworkManager_t:s0 tcontext=system_u:system_r:puppetagent_t:s0 tclass=(null)  exe=/usr/bin/dbus-daemon sauid=dbus hostname=? addr=? terminal=?' 

To ensure that classes and permissions are translated correctly, bus/selinux.c should use selinux_set_mapping() instead of constants from selinux/flask.h as it's already fixed upstream in 

https://cgit.freedesktop.org/dbus/dbus/commit/bus/selinux.c?id=ba088208bc0c35ca418a097a8482c4a7705f4a43

Since the upstream doesn't use dbus-1.6.12-mls-listnames.patch, this patch needs to be changed as well.



Steps to Reproduce:
1. run 'service ModemManager restart'
2. check /var/log/audit/audit.log or use 'ausearch -m user_avc -ts recent'


Actual results:
type=USER_AVC msg=audit(1470403659.361:109): pid=451 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { 0x2 } for msgtype=method_call interface=org.freedesktop.login1.Manager member=Inhibit dest=:1.1 spid=921 tpid=450 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=(null)  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'


Expected results:
type=USER_AVC msg=audit(1470403659.361:109): pid=451 uid=81 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  denied  { send_msg } for msgtype=method_call interface=org.freedesktop.login1.Manager member=Inhibit dest=:1.1 spid=921 tpid=450 scontext=system_u:system_r:modemmanager_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus  exe="/usr/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Comment 1 David King 2016-08-08 11:56:03 UTC
I have the backported patch and MLS changes ready to go.

Comment 2 David King 2016-08-08 13:14:50 UTC
*** Bug 1362655 has been marked as a duplicate of this bug. ***

Comment 3 David King 2016-08-08 13:19:09 UTC
*** Bug 1328014 has been marked as a duplicate of this bug. ***

Comment 6 Matěj Cepl 2016-08-31 18:00:03 UTC
With dbus-1.6.12-16.el7.x86_64

mitmanek:~# service ModemManager restart
Redirecting to /bin/systemctl restart  ModemManager.service
mitmanek:~# ausearch -m user_avc -ts recent
<no matches>
mitmanek:~#

Comment 8 errata-xmlrpc 2016-11-04 06:41:21 UTC
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.

For information on the advisory, and where to find the updated
files, follow the link below.

If the solution does not work for you, open a new bug report.

https://rhn.redhat.com/errata/RHBA-2016-2453.html


Note You need to log in before you can comment on or make changes to this bug.