kdbus and Fedora

Eric Paris eparis at redhat.com
Wed Jul 8 19:46:16 UTC 2015 

On Wed, 2015-07-08 at 20:58 +0200, David Herrmann wrote:
> Hi
> 
> On Wed, Jul 8, 2015 at 8:39 PM, Eric Paris <eparis at redhat.com> wrote:
> > On Wed, 2015-07-08 at 13:02 -0400, Josh Boyer wrote:
> > > On Wed, Jul 8, 2015 at 12:50 PM, Kevin Fenzi <kevin at scrye.com> 
> > > wrote:
> > > > On Wed, 8 Jul 2015 10:32:53 -0400
> > > > Josh Boyer <jwboyer at fedoraproject.org> wrote:
> > > > 
> > > > > I just pushed this to git and started a build.  It will be in
> > > > > rawhide
> > > > > tomorrow with the 4.2.0-0.rc1.git2.1 kernel.  (I was waiting 
> > > > > for
> > > > > rc1
> > > > > before adding it.)
> > > > > 
> > > > > I did test both with and without kdbus=1 and both worked at 
> > > > > least
> > > > > from
> > > > > a boot standpoint.  The initramfs on an install lacks the 
> > > > > kdbus
> > > > > module, so it needs to be rebuilt if one wishes to use kdbus.
> > > > 
> > > > Seems to work here with the following issues/bugs/whatever:
> > > > 
> > > > - cpu usage is really high, seems to mostly be firewalld doing
> > > >   something that generates audit messages and those spewing to 
> > > > the
> > > >   journal. This drives the load on my laptop up to 5-6 or so 
> > > > and
> > > > cpu
> > > >   fans spinning.
> > > 
> > > I noticed this as well.
> 
> I assume this happens only with kdbus=1 (and is unrelated to other
> 4.2-rc1 changes)? Any details on this are highly welcome.
> 
> > > > - selinux isn't happy with things:
> > > > Jul 08 10:32:08 voldemort.scrye.com audit[1086]: AVC avc: 
> > > >  denied
> > > > { connectto } for  pid=1086 comm="sedispatch"
> > > > path="/run/dbus/system_bus_socket"
> > > > scontext=system_u:system_r:audisp_t:s0
> > > > tcontext=system_u:system_r:init_t:s0 tclass=unix_stream_socket
> > > > permissive=0
> > > > 
> > > > Where should we report bugs for this work?
> 
> (kdbus related bugs should be reported against systemd for now. If
> it's a kernel oops, you might wanna prefer LKML and put us on CC).
> 
> > > Hm, tough call.  Perhaps against systemd unless it's a kernel 
> > > oops?
> > >  I
> > > would think systemd might need to set SELinux to permissive if 
> > > it's
> > > booting in kdbus mode until kdbus works with SELinux upstream.
> > 
> > File a bug with selinux-policy. Current policy allows:
> > 
> >    allow audisp_t system_dbusd_t : unix_stream_socket connectto ;
> > 
> > But the thing on the other side of /run/dbus/system_bus_socket is 
> > no
> > longer system_dbus_t   it is init_t...
> > 
> > Is that actually pid=1 on the other side, or something else that we
> > should just get labeled correctly in policy?
> 
> This is the system bus socket of dbus-daemon. If kdbus is enabled,
> it's not used by any systemd binary (they use kdbus directly). The
> only exception is systemd-bus-proxyd which provides this socket
> (replaces dbus-daemon) for backwards compatibility (proxy between
> dbus1 and kdbus). This socket, though, is created by pid1 via a
> .socket unit and bus-proxyd is socket activated.
> 
> As I cannot parse this selinux error, I hope someone with selinux
> background can shed some light on this.

I thought I did explain what the AVC meant. In any case, looks like
/usr/bin/dbus-daemon is labeled system_u:object_r:dbusd_exec_t:s0

So can someone try:
  chcon system_u:object_r:dbusd_exec_t:s0 /path/to/systemd-bus-proxyd

you'll then need to get systemd-bus-proxyd to re-exec. (either by root
or kill and have systemd restart, i dunno)

That will hopefully take care of this avc, at least...

More information about the kernel mailing list