dbus daemon

Steve Blackwell zephod at cfl.rr.com
Sat Jan 30 17:38:11 UTC 2010 

I have been getting alot of AVCs that are related to dbus. A quick check
shows that I have 2 dbus daemons running.

$ ps aux | grep dbus
dbus      1615  0.0  0.1  14160  1880 ?        Ssl  11:53   0:01
dbus-daemon --system 

gdm       2385  0.0  0.0   3312   580 ? S    11:54
0:00 /usr/bin/dbus-launch --exit-with-session 

steve
2650  0.0  0.0   3312   576 ?        S    11:58   0:00 dbus-launch
--sh-syntax --exit-with-session 

steve     2652  0.1  0.1  13528 1484 ?        Ssl  11:58
0:01 /bin/dbus-daemon --fork --print-pid 7 --print-address 9 --session 

steve     3154  0.0  0.0   4192   708 pts/0    S+   12:16   0:00 grep
dbus

The one that is owned by dbus has a system_u:system_r:system_dbusd_t
context.

The one that is owned by me has a unconfined_u:unconfined_r:unconfined_t
context.

First question: should I really have 2 dbus-daemons?

One AVC says that the dbus daemon owned by dbus can't search
unconfined_t. It was trying to search /proc/2963 which was the
gpk-update-viewer which was running unconfined. (I'm running SELinux in
permissive mode)

$ ps -efZ | grep 2964
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 steve 2963 1  3
12:05 ? 00:00:07 gpk-update-viewer

Second question: does dbus have any reason to look at gpk-update
viewer? 

Clearly, it needs to record the fact that the system was updated but
why does it need to check the update viewer for that?

Last question: how do I fix this? I don't have any modified or
additional SELinux policies so I would have thought this would work
"out-of-the-box".

Here is the raw audit message:

node=steve.blackwell type=AVC msg=audit(1264871141.507:132): avc:
denied { search } for pid=1615 comm="dbus-daemon" name="2963" dev=proc
ino=17982 scontext=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023
tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
tclass=dir 

$ sestatus
SELinux status:                 enabled
SELinuxfs mount:                /selinux
Current mode:                   permissive
Mode from config file:          permissive
Policy version:                 24
Policy from config file:        targeted

$ rpm -qa | grep selinux
libselinux-2.0.80-1.fc11.i586
selinux-policy-targeted-3.6.12-93.fc11.noarch
libselinux-utils-2.0.80-1.fc11.i586
libselinux-devel-2.0.80-1.fc11.i586
libselinux-python-2.0.80-1.fc11.i586
selinux-policy-3.6.12-93.fc11.noarch

Thanks,
Steve

More information about the selinux mailing list