#4 Skip SELinux operations on D-Bus messages if SELinux is disabled
Merged 2 years ago by nalin. Opened 2 years ago by abbra.

file modified
+4 -2
@@ -49,6 +49,7 @@ 

  struct oddjob_dbus_context {

  	DBusBusType bustype;

  	int reconnect_timeout;

+ 	dbus_bool_t selinux_enabled;

  	struct oddjob_dbus_service {

  		struct oddjob_dbus_context *ctx;

  		DBusConnection *conn;
@@ -154,7 +155,7 @@ 

  

  /* Create a new master state structure. */

  struct oddjob_dbus_context *

- oddjob_dbus_listeners_new(DBusBusType bustype)

+ oddjob_dbus_listeners_new(DBusBusType bustype, dbus_bool_t selinux_enabled)

  {

  	struct oddjob_dbus_context *ctx;

  
@@ -167,6 +168,7 @@ 

  	ctx->reconnect_timeout = 0;

  	ctx->n_services = 0;

  	ctx->services = NULL;

+ 	ctx->selinux_enabled = selinux_enabled;

  

  	return ctx;

  }
@@ -712,7 +714,7 @@ 

  	}

  

  	/* Build our message structure. */

- 	msg = oddjob_dbus_message_from_message(conn, message, FALSE, TRUE);

+ 	msg = oddjob_dbus_message_from_message(conn, message, FALSE, ctx->selinux_enabled);

  	if (msg == NULL) {

  		return DBUS_HANDLER_RESULT_NOT_YET_HANDLED;

  	}

file modified
+1 -1
@@ -39,7 +39,7 @@ 

  struct oddjob_dbus_message;

  

  /* Server */

- struct oddjob_dbus_context *oddjob_dbus_listeners_new(DBusBusType bus);

+ struct oddjob_dbus_context *oddjob_dbus_listeners_new(DBusBusType bus, dbus_bool_t selinux_enabled);

  void oddjob_dbus_listeners_reconnect_if_needed(struct oddjob_dbus_context *ctx);

  void oddjob_dbus_listeners_set_reconnect_timeout(struct oddjob_dbus_context *ctx,

  						 int timeout);

file modified
+3 -3
@@ -51,7 +51,6 @@ 

  #ifdef SELINUX_ACLS

  #include <selinux/selinux.h>

  #include <selinux/context.h>

- #include <selinux/flask.h>

  #endif

  #include "buffer.h"

  #include "common.h"
@@ -1973,7 +1972,7 @@ 

  			}

  			if (security_compute_create((char *) client_secontext,

  						    helper_context,

- 						    SECCLASS_PROCESS,

+ 						    string_to_security_class("process"),

  						    &exec_context) != 0) {

  				/* Failed to compute exec context? */

  				exec_errno = 0xfe;
@@ -2985,7 +2984,8 @@ 

  	globals.config = config;

  

  	/* Open a connection to the message bus. */

- 	ctx = oddjob_dbus_listeners_new(options.bus);

+ 	check_selinux_applicable();

+ 	ctx = oddjob_dbus_listeners_new(options.bus, globals.selinux_enabled);

  	if (ctx == NULL) {

  		fprintf(stderr, "Error connecting to D-Bus!\n");

  		return 2;

Fix rhbz#1578150 by skipping SELinux operations if SELinux is disabled. Most of the code already did that except D-Bus handlers.

Can someone please review this PR so that we can move forward with the proposed fix?

Pull-Request has been merged by nalin

2 years ago