Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Allow install_t to chat with systemd over D-Bus #45

Merged
merged 1 commit into from
Jan 19, 2018
Merged

Allow install_t to chat with systemd over D-Bus #45

merged 1 commit into from
Jan 19, 2018

Conversation

jlebon
Copy link
Contributor

@jlebon jlebon commented Jan 9, 2018

An upcoming version of rpm-ostree will make use of systemd's D-Bus API.
Unfortunately, this is currently blocked by SELinux right now:

subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:
denied { send_msg } for msgtype=method_return dest=:1.23 spid=1
tpid=1813 scontext=system_u:system_r:init_t:s0
tcontext=unconfined_u:system_r:install_t:s0-s0:c0.c1023 tclass=dbus
permissive=0

This patch adds a rule to allow rpm-ostree/anaconda to talk to systemd
over D-Bus.

@jlebon
Allow install_t to chat with systemd over D-Bus
63771cb 
An upcoming version of rpm-ostree will make use of systemd's D-Bus API.
Unfortunately, this is currently blocked by SELinux right now:

    subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:
    denied { send_msg } for msgtype=method_return dest=:1.23 spid=1
    tpid=1813 scontext=system_u:system_r:init_t:s0
    tcontext=unconfined_u:system_r:install_t:s0-s0:c0.c1023 tclass=dbus
    permissive=0

This patch adds a rule to allow rpm-ostree/anaconda to talk to systemd
over D-Bus.
@jlebon
Copy link
Contributor Author

jlebon commented Jan 9, 2018

PR that will make use of this: coreos/rpm-ostree#1147
I successfully tested this patch in https://koji.fedoraproject.org/koji/taskinfo?taskID=24089792.

@rhatdan
Copy link
Contributor

rhatdan commented Jan 12, 2018

LGTM

@cgwalters
Copy link
Contributor

Yep LGTM too!

@rhatdan
Copy link
Contributor

rhatdan commented Jan 12, 2018

@wrabcak Can we get this into Fedora policy ASAP?

@wrabcak wrabcak merged commit 93c9a53 into fedora-selinux:rawhide Jan 19, 2018
@wrabcak
Copy link
Member

wrabcak commented Jan 19, 2018

Build will be later today. Sorry for late reply

@cgwalters
Copy link
Contributor

It doesn't look like there's a F27 build. I'm a bit worried about the compat hazard here; I'd like to keep rpm-ostree releases monthly and if we have a hard dependency on things like this sepolicy change that gets harder.

I guess right now it'll just end up logging a denial...and only if someone has automatic updates enabled? Eh...I guess we can live with that.

@jlebon
Copy link
Contributor Author

jlebon commented Jan 29, 2018

Hmm OTOH, it'd be nice if folks who wanted to experiment with the upcoming check mode didn't have to setenforce 0. (And coreos/rpm-ostree#27 makes it tricky to cleanly "carry" a local module like we do in our tests). Let's say, if there's an selinux-policy bodhi update during the next rpm-ostree release, let's bind them together but otherwise we'll go ahead?

@jlebon jlebon mentioned this pull request Jan 31, 2018
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
4 participants
@jlebon @rhatdan @cgwalters @wrabcak