From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: russell@coker.com.au, SE-Linux <selinux@tycho.nsa.gov>
Subject: Re: dbus reading /proc/X/cmdline
Date: Wed, 04 Mar 2009 11:52:24 -0500 [thread overview]
Message-ID: <49AEB1C8.7090200@redhat.com> (raw)
In-Reply-To: <1236183949.2679.21.camel@localhost.localdomain>
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
Stephen Smalley wrote:
> On Wed, 2009-03-04 at 10:45 -0500, Daniel J Walsh wrote:
>> -----BEGIN PGP SIGNED MESSAGE-----
>> Hash: SHA1
>>
>> Stephen Smalley wrote:
>>> On Wed, 2009-03-04 at 23:09 +1100, Russell Coker wrote:
>>>> Why does the dbus-daemon want to read the cmdline of every process that it
>>>> talks to? Is it something to allow or dontaudit? It appears to work without
>>>> allowing it.
>>>>
>>>> type=AVC msg=audit(1236168464.840:83): avc: denied { search } for pid=2757
>>>> comm="dbus-daemon" name="2874" dev=proc ino=12535
>>>> scontext=unconfined_u:unconfined_r:system_dbusd_t:s0-s0:c0.c1023
>>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=dir
>>>> type=AVC msg=audit(1236168464.840:83): avc: denied { read } for pid=2757
>>>> comm="dbus-daemon" name="cmdline" dev=proc ino=12536
>>>> scontext=unconfined_u:unconfined_r:system_dbusd_t:s0-s0:c0.c1023
>>>> tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=file
>>>> type=SYSCALL msg=audit(1236168464.840:83): arch=40000003 syscall=5 success=yes
>>>> exit=16 a0=b8481fa0 a1=0 a2=b3a a3=b84826c0 items=0 ppid=1 pid=2757
>>>> auid=4294967295 uid=103 gid=105 euid=103 suid=103 fsuid=103 egid=105 sgid=105
>>>> fsgid=105 tty=(none) ses=4294967295 comm="dbus-daemon"
>>>> exe="/usr/bin/dbus-daemon"
>>>> subj=unconfined_u:unconfined_r:system_dbusd_t:s0-s0:c0.c1023 key=(null)
>>> It appears to fetch that information for logging purposes (comm= field).
>>>
>> dbus also has the ability to state that an executable is the only one
>> that is able to communicate over it. Not very secure. But it is there.
>>
>> I can put in the config that only /usr/libexec/nm-applet is able to
>> communicate with network-manager.
>
> That sort of restriction should be implemented based on SELinux domains
> rather than program name. Just a matter of defining policy for the
> client programs and configuring the dbus policy appropriately.
>
Yes it has that ability also.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org
iEYEARECAAYFAkmuscgACgkQrlYvE4MpobN8PwCg1Zasmiulh2hKqPPSm86ggZq0
k0wAoNvJZyCrTIs+etf9ZLbHGdMjbHiP
=2HM4
-----END PGP SIGNATURE-----
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
prev parent reply other threads:[~2009-03-04 16:52 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2009-03-04 12:09 dbus reading /proc/X/cmdline Russell Coker
2009-03-04 14:00 ` Stephen Smalley
2009-03-04 15:45 ` Daniel J Walsh
2009-03-04 16:25 ` Stephen Smalley
2009-03-04 16:52 ` Daniel J Walsh [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=49AEB1C8.7090200@redhat.com \
--to=dwalsh@redhat.com \
--cc=russell@coker.com.au \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.