From: guido@trentalancia.net (Guido Trentalancia)
Date: Sun, 14 Aug 2016 22:05:17 +0200 (CEST)
Subject: [refpolicy] [PATCH] Allow dbus to execute binaries
In-Reply-To: <e2cfb5e0-4dda-889a-a9be-1128a0d98d6f@gmail.com>
References: <395201837.942692.1471122911126.JavaMail.open-xchange@popper02.register.it>
	<f5b9d69c-96f0-f4ef-1cf0-0df34ab6c304@gmail.com>
	<1471203435.27146.24.camel@trentalancia.net>
	<e2cfb5e0-4dda-889a-a9be-1128a0d98d6f@gmail.com>
Message-ID: <338505048.945576.1471205117819.JavaMail.open-xchange@popper02.register.it>
To: refpolicy@oss.tresys.com
List-Id: refpolicy.oss.tresys.com

Hello Dominick.

> On the 14th August 2016 at 21.40 Dominick Grift <dac.override@gmail.com>
> wrote:
> 
> 
> On 08/14/2016 09:37 PM, Guido Trentalancia wrote:
> > On Sun, 14/08/2016 at 11.00 +0200, Dominick Grift wrote:
> >> On 08/13/2016 11:15 PM, Guido Trentalancia wrote:
> >>> Update for the dbus module so that it can start.
> >>
> >> What binary are you referring to?
> > 
> > Apparently it tries to execute /bin/false. If it fails, it refuses to
> > start.
> > 
> 
> Oh sorry i overlooked this reply. I can't reproduce this. Please
> reproduce and enclose the avc denial. This shouldnt be needed in my
> experience.

type=AVC msg=audit(1471048594.845:72): avc:  denied  { execute } for  pid=2075
comm="dbus-daemon-lau" name="false" dev="dm-2" ino=1583337
scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=system_u:object_r:bin_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1471048594.845:72): arch=c000003e syscall=59 success=no
exit=-13 a0=15c6eb0 a1=15c6740 a2=15c6010 a3=95 items=0 ppid=2074 pid=2075
auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=(none) ses=4294967295 comm="dbus-daemon-lau"
exe="/usr/libexec/dbus-daemon-launch-helper"
subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)

I am not happy to add the permission, but unfortunately, if it refuses to start,
I can't see other choices.

> >>> Signed-off-by: Guido Trentalancia <guido@trentalancia.net>
> >>> ---
> >>>  policy/modules/contrib/dbus.te |    1 +
> >>>  1 file changed, 1 insertion(+)
> >>>
> >>> --- refpolicy-git-06082016-orig/policy/modules/contrib/dbus.te	
> >>> 2016-08-06
> >>> 21:27:11.344094223 +0200
> >>> +++ refpolicy-git-06082016/policy/modules/contrib/dbus.te	20
> >>> 16-08-13
> >>> 13:20:54.013168684 +0200
> >>> @@ -91,6 +91,7 @@ kernel_read_kernel_sysctls(system_dbusd_
> >>>  corecmd_list_bin(system_dbusd_t)
> >>>  corecmd_read_bin_pipes(system_dbusd_t)
> >>>  corecmd_read_bin_sockets(system_dbusd_t)
> >>> +corecmd_exec_bin(system_dbusd_t)
> >>>  corecmd_exec_shell(system_dbusd_t)
> >>>  
> >>>  dev_read_urand(system_dbusd_t)

Regards,

Guido