From: Laurent Bigonville <bigon@debian.org>
To: sds@tycho.nsa.gov
Cc: selinux@tycho.nsa.gov
Subject: Re: continuation of systemd/SELinux discussion from Github
Date: Thu, 3 Dec 2015 10:09:45 +0100 [thread overview]
Message-ID: <566006D9.6040108@debian.org> (raw)
In-Reply-To: <565F366E.3030403@tycho.nsa.gov>
Le 02/12/15 19:20, Stephen Smalley a écrit :
> On 12/02/2015 05:18 AM, Dominick Grift wrote:
>> Let's continue the discussion here.
>>
>> The last answered questionnaire is below, any further questions or
>> comments?:
>>
>> ----------------------------------------
>>
>> "systemd --user" concept is broken as we can see/read from this
>> thread from SELinux point of view.
>>
>> It was working fine except that it was trying to log to the audit system
>> which unprivileged processes arent allowed to do.
>
> What's the dbus solution for this issue?
That one I can reply.
The dbus-daemon check if the AUDIT_CAP is set on its process an then
open the audit netlink and then start logging. The idea was to set the
file capability on the executable, but Simon (dbus-daemon upstream) was
not sure he wanted that as dbus-daemon has not been audited and was
afraid of some security issues (If somebody has an opinion on whether
the file capability should be set by default or not, please tell me).
These are the "recent" patches involved in the auditing:
http://cgit.freedesktop.org/dbus/dbus/commit/?id=517c4685a8197498dea40918b308beea19155efd
http://cgit.freedesktop.org/dbus/dbus/commit/?id=992236f1c57a7a8930e4c8aeb21f30c2d8af21d3
http://cgit.freedesktop.org/dbus/dbus/commit/?id=983237258dc440419b863461fae15f31cce08639
http://cgit.freedesktop.org/dbus/dbus/commit/?id=a3a5935a0a038c3b44c61ce5719f0f7e647b96c6
prev parent reply other threads:[~2015-12-03 9:09 UTC|newest]
Thread overview: 17+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-12-02 10:18 continuation of systemd/SELinux discussion from Github Dominick Grift
2015-12-02 10:31 ` Dominick Grift
2015-12-02 18:20 ` Stephen Smalley
2015-12-02 19:47 ` Dominick Grift
2015-12-02 21:23 ` Stephen Smalley
2015-12-02 21:42 ` Dominick Grift
2015-12-03 16:02 ` Miroslav Grepl
2015-12-03 16:11 ` Stephen Smalley
2015-12-03 17:30 ` Dominick Grift
2015-12-04 15:55 ` Dominick Grift
2015-12-10 9:21 ` Miroslav Grepl
2015-12-03 16:30 ` Dominick Grift
2015-12-03 17:20 ` Dominick Grift
2015-12-03 20:25 ` Dominick Grift
2015-12-02 21:37 ` Dominick Grift
2015-12-02 20:34 ` Dominick Grift
2015-12-03 9:09 ` Laurent Bigonville [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=566006D9.6040108@debian.org \
--to=bigon@debian.org \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.