*Urgent* selinux : could not connect session bus, selinux policy perevents this

Rahul Khali rahulc1982 at gmail.com
Tue Feb 12 13:16:26 UTC 2013 

Hi,
I am using rehel 6.0.
As a beginner I picked dummy policies in
linux-2.6.32-71.el6/scripts/selinux/.
This is a monolithic policy.
After setting up every thing, I rebooted the machine. It did all the
relabling.
In permissive mode I looked at audit logs and found messages :
type=USER_AVC msg=audit(1360672844.901:8): user pid=1658 uid=81
auid=4294967295 ses=4294967295 subj=admin_u:admin_r:base_t msg='avc:
denied  { send_msg } for msgtype=method_call interface=org.freedesktop.DBus
member=Hello dest=org.freedesktop.DBus spid=1
scontext=admin_u:admin_r:base_t tcontext=admin_u:admin_r:base_t
tclass=dbus  exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
type=USER_AVC msg=audit(1360672844.903:9): user pid=1658 uid=81
auid=4294967295 ses=4294967295 subj=admin_u:admin_r:base_t msg='avc:
denied  { acquire_svc } for service=com.ubuntu.Upstart spid=1
scontext=admin_u:admin_r:base_t tcontext=admin_u:admin_r:base_t
tclass=dbus  exe="/bin/dbus-daemon" sauid=81 hostname=? addr=? terminal=?'
Then I used audit2allow and it suggested:
allow base_t self:dbus acquire_svc
allow base_t self:dbus send_msg

I added these in policy.conf and recreated policy.24 using checkpolicy.
There was no dbus class define in policy.conf So i decleared it

class dbus
{
        acquire_svc
        send_msg
}
I rebooted machine in enforcement mode.
And I could not loginin in init5.( I was able to login to init 3).

I saw following message:
"Could not connect to session bus: An SELinux policy prevents this sender
from sending this message to this recepient (rejected message had sender
"(unset)" interface "org.freedesktop.DBus" member "Hello" error
name"(unset)" destination org.freedesktop.DBus")

Then again I went into permissive mode and looked at audit.log and found
the above messages again.

Can someone please help on this ?
-- 
------------------
with regards
Rahul Khali
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.fedoraproject.org/pipermail/selinux/attachments/20130212/c78dea30/attachment.html>

More information about the selinux mailing list