From: guido@trentalancia.com (Guido Trentalancia)
Date: Wed, 12 Jan 2011 22:32:10 +0100
Subject: [refpolicy] refpolicy-2.20101213 (mcs) and dbus messages
Message-ID: <1294867930.1731.34.camel@tesla.lan>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello,

I have just built and installed refpolicy-2.20101213 (mcs) but I get
problems with dbus, such as the following:

Jan 11 18:54:04 tesla gnome-session[2744]: WARNING: Could not connect to
ConsoleKit: An SELinux policy prevents this sender from sending this
message to this recipient (rejected message had sender "(unset)"
interface "org.freedesktop.DBus" member "Hello" error name "(unset)"
destination "org.freedesktop.DBus")
Jan 11 07:41:59 tesla gdm-binary[2513]: WARNING: Couldn't connect to
system bus: An SELinux policy prevents this sender from sending this
message to this recipient (rejected message had sender "(unset)"
interface "org.freedesktop.DBus" member "Hello" error name "(unset)"
destination "org.freedesktop.DBus")
Jan 12 21:58:29 tesla pulseaudio[31181]: hal-util.c: Unable to contact
DBUS system bus: org.freedesktop.DBus.Error.AccessDenied: An SELinux
policy prevents this sender from sending this message to this recipient
(rejected message had sender "(unset)" interface "org.freedesktop.DBus"
member "Hello" error name "(unset)" destination "org.freedesktop.DBus")

or in terms of audit, things like:

type=USER_AVC msg=audit(1294728121.875:414): user pid=6167 uid=81
auid=4294967295 ses=4294967295
subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='avc:  denied
{ send_msg } for msgtype=method_call interface=org.freedesktop.DBus
member=Hello dest=org.freedesktop.DBus spid=6211
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=dbus :
exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1294728121.925:415): user pid=6167 uid=81
auid=4294967295 ses=4294967295
subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='avc:  denied
{ send_msg } for msgtype=method_call interface=org.freedesktop.DBus
member=Hello dest=org.freedesktop.DBus spid=6222
scontext=system_u:system_r:initrc_t:s0
tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=dbus :
exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'

Now, the dbus module is loaded:

dbus	1.14.0

I had to relabel /sbin/upstart by modifying the default contexts. In
fact, nowadays /sbin/init is often a symlink to /sbin/upstart (see
Debian, Fedora and possibly others) but unfortunately this is not
contemplated in the default file_contexts.

Anyway, after relabelling /sbin/upstart sestatus also looks fine:

SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   enforcing
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        refpolicy-mcs

Process contexts:
Current context:
system_u:system_r:local_login_t:s0-s0:c0.c1023
Init context:                   system_u:system_r:init_t:s0
/sbin/mingetty                  system_u:system_r:getty_t:s0

So, what is missing ? Any idea on how to sort this out would be greatly
appreciated !

Regards,

Guido