On Wed, 2015-07-08 at 13:02 -0400, Josh Boyer wrote:
On Wed, Jul 8, 2015 at 12:50 PM, Kevin Fenzi <kevin(a)scrye.com>
wrote:
> On Wed, 8 Jul 2015 10:32:53 -0400
> Josh Boyer <jwboyer(a)fedoraproject.org> wrote:
>
> > I just pushed this to git and started a build. It will be in
> > rawhide
> > tomorrow with the 4.2.0-0.rc1.git2.1 kernel. (I was waiting for
> > rc1
> > before adding it.)
> >
> > I did test both with and without kdbus=1 and both worked at least
> > from
> > a boot standpoint. The initramfs on an install lacks the kdbus
> > module, so it needs to be rebuilt if one wishes to use kdbus.
>
> Seems to work here with the following issues/bugs/whatever:
>
> - cpu usage is really high, seems to mostly be firewalld doing
> something that generates audit messages and those spewing to the
> journal. This drives the load on my laptop up to 5-6 or so and
> cpu
> fans spinning.
I noticed this as well.
> - selinux isn't happy with things:
> Jul 08 10:32:08
voldemort.scrye.com audit[1086]: AVC avc: denied
> { connectto } for pid=1086 comm="sedispatch"
> path="/run/dbus/system_bus_socket"
> scontext=system_u:system_r:audisp_t:s0
> tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
> permissive=0
>
> Where should we report bugs for this work?
Hm, tough call. Perhaps against systemd unless it's a kernel oops?
I
would think systemd might need to set SELinux to permissive if it's
booting in kdbus mode until kdbus works with SELinux upstream.
File a bug with selinux-policy. Current policy allows:
allow audisp_t system_dbusd_t : unix_stream_socket connectto ;
But the thing on the other side of /run/dbus/system_bus_socket is no
longer system_dbus_t it is init_t...
Is that actually pid=1 on the other side, or something else that we
should just get labeled correctly in policy?