From: domg472@gmail.com (Dominick Grift) Date: Thu, 13 Jan 2011 10:19:20 +0100 Subject: [refpolicy] refpolicy-2.20101213 (mcs) and dbus messages In-Reply-To: <1294867930.1731.34.camel@tesla.lan> References: <1294867930.1731.34.camel@tesla.lan> Message-ID: <4D2EC398.7060304@gmail.com> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 01/12/2011 10:32 PM, Guido Trentalancia wrote: > Hello, > > I have just built and installed refpolicy-2.20101213 (mcs) but I get > problems with dbus, such as the following: > > Jan 11 18:54:04 tesla gnome-session[2744]: WARNING: Could not connect to > ConsoleKit: An SELinux policy prevents this sender from sending this > message to this recipient (rejected message had sender "(unset)" > interface "org.freedesktop.DBus" member "Hello" error name "(unset)" > destination "org.freedesktop.DBus") > Jan 11 07:41:59 tesla gdm-binary[2513]: WARNING: Couldn't connect to > system bus: An SELinux policy prevents this sender from sending this > message to this recipient (rejected message had sender "(unset)" > interface "org.freedesktop.DBus" member "Hello" error name "(unset)" > destination "org.freedesktop.DBus") > Jan 12 21:58:29 tesla pulseaudio[31181]: hal-util.c: Unable to contact > DBUS system bus: org.freedesktop.DBus.Error.AccessDenied: An SELinux > policy prevents this sender from sending this message to this recipient > (rejected message had sender "(unset)" interface "org.freedesktop.DBus" > member "Hello" error name "(unset)" destination "org.freedesktop.DBus") > > or in terms of audit, things like: > > type=USER_AVC msg=audit(1294728121.875:414): user pid=6167 uid=81 > auid=4294967295 ses=4294967295 > subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='avc: denied > { send_msg } for msgtype=method_call interface=org.freedesktop.DBus > member=Hello dest=org.freedesktop.DBus spid=6211 > scontext=system_u:system_r:initrc_t:s0 > tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=dbus : > exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' > type=USER_AVC msg=audit(1294728121.925:415): user pid=6167 uid=81 > auid=4294967295 ses=4294967295 > subj=system_u:system_r:local_login_t:s0-s0:c0.c1023 msg='avc: denied > { send_msg } for msgtype=method_call interface=org.freedesktop.DBus > member=Hello dest=org.freedesktop.DBus spid=6222 > scontext=system_u:system_r:initrc_t:s0 > tcontext=system_u:system_r:local_login_t:s0-s0:c0.c1023 tclass=dbus : > exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?' > > Now, the dbus module is loaded: > > dbus 1.14.0 > > I had to relabel /sbin/upstart by modifying the default contexts. In > fact, nowadays /sbin/init is often a symlink to /sbin/upstart (see > Debian, Fedora and possibly others) but unfortunately this is not > contemplated in the default file_contexts. > > Anyway, after relabelling /sbin/upstart sestatus also looks fine: > > SELinux status: enabled > SELinuxfs mount: /selinux > Current mode: enforcing > Mode from config file: permissive > Policy version: 24 > Policy from config file: refpolicy-mcs > > Process contexts: > Current context: > system_u:system_r:local_login_t:s0-s0:c0.c1023 > Init context: system_u:system_r:init_t:s0 > /sbin/mingetty system_u:system_r:getty_t:s0 > > So, what is missing ? Any idea on how to sort this out would be greatly > appreciated ! Something runs in initrc_t where it probably should not. Could well be the dbus system bus. I do not know. ps auxZ | grep initrc_t would probably reveal it. Once its determined which process runs initrc_t, you can target your troubleshoot efforts to this process. > > Regards, > > Guido > > _______________________________________________ > refpolicy mailing list > refpolicy at oss.tresys.com > http://oss.tresys.com/mailman/listinfo/refpolicy -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.16 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/ iEYEARECAAYFAk0uw5gACgkQMlxVo39jgT/xiQCgxKBe3e2bqSYo6QvDTH3HgQJs iB8AnAkGefZcGAI1ULL5XgkeEGOLWhlQ =MJL+ -----END PGP SIGNATURE-----