kdbus and Fedora

[Eric Paris]

On Wed, 2015-07-08 at 13:02 -0400, Josh Boyer wrote:
> On Wed, Jul 8, 2015 at 12:50 PM, Kevin Fenzi <kevin at scrye.com> wrote:
> > On Wed, 8 Jul 2015 10:32:53 -0400
> > Josh Boyer <jwboyer at fedoraproject.org> wrote:
> > 
> > > I just pushed this to git and started a build.  It will be in 
> > > rawhide
> > > tomorrow with the 4.2.0-0.rc1.git2.1 kernel.  (I was waiting for 
> > > rc1
> > > before adding it.)
> > > 
> > > I did test both with and without kdbus=1 and both worked at least 
> > > from
> > > a boot standpoint.  The initramfs on an install lacks the kdbus
> > > module, so it needs to be rebuilt if one wishes to use kdbus.
> > 
> > Seems to work here with the following issues/bugs/whatever:
> > 
> > - cpu usage is really high, seems to mostly be firewalld doing
> >   something that generates audit messages and those spewing to the
> >   journal. This drives the load on my laptop up to 5-6 or so and 
> > cpu
> >   fans spinning.
> 
> I noticed this as well.
> 
> > - selinux isn't happy with things:
> > Jul 08 10:32:08 voldemort.scrye.com audit[1086]: AVC avc:  denied
> > { connectto } for  pid=1086 comm="sedispatch"
> > path="/run/dbus/system_bus_socket"
> > scontext=system_u:system_r:audisp_t:s0
> > tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
> > permissive=0
> > 
> > Where should we report bugs for this work?
> 
> Hm, tough call.  Perhaps against systemd unless it's a kernel oops? 
>  I
> would think systemd might need to set SELinux to permissive if it's
> booting in kdbus mode until kdbus works with SELinux upstream.

File a bug with selinux-policy. Current policy allows:

   allow audisp_t system_dbusd_t : unix_stream_socket connectto ;

But the thing on the other side of /run/dbus/system_bus_socket is no
longer system_dbus_t   it is init_t...

Is that actually pid=1 on the other side, or something else that we
should just get labeled correctly in policy?