From 3e26e372a8649dbdb6d00043297324c2273b71ae Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Oct 08 2019 09:24:41 +0000 Subject: [PATCH 1/2] Only process SELinux contexts if SELinux is not disabled When operating under SELinux disabled, do not try to retrieve SELinux context of the D-Bus sender because it will fail with a D-Bus error message that confuses users in the logs and breaks operations. Resolves: rhbz#1578150 Signed-off-by: Alexander Bokovoy --- diff --git a/src/oddjob_dbus.c b/src/oddjob_dbus.c index 573cf98..a887eb5 100644 --- a/src/oddjob_dbus.c +++ b/src/oddjob_dbus.c @@ -49,6 +49,7 @@ struct oddjob_dbus_context { DBusBusType bustype; int reconnect_timeout; + dbus_bool_t selinux_enabled; struct oddjob_dbus_service { struct oddjob_dbus_context *ctx; DBusConnection *conn; @@ -154,7 +155,7 @@ oddjob_dbus_listeners_set_reconnect_timeout(struct oddjob_dbus_context *ctx, /* Create a new master state structure. */ struct oddjob_dbus_context * -oddjob_dbus_listeners_new(DBusBusType bustype) +oddjob_dbus_listeners_new(DBusBusType bustype, dbus_bool_t selinux_enabled) { struct oddjob_dbus_context *ctx; @@ -167,6 +168,7 @@ oddjob_dbus_listeners_new(DBusBusType bustype) ctx->reconnect_timeout = 0; ctx->n_services = 0; ctx->services = NULL; + ctx->selinux_enabled = selinux_enabled; return ctx; } @@ -712,7 +714,7 @@ oddjob_dbus_filter(DBusConnection *conn, DBusMessage *message, void *user_data) } /* Build our message structure. */ - msg = oddjob_dbus_message_from_message(conn, message, FALSE, TRUE); + msg = oddjob_dbus_message_from_message(conn, message, FALSE, ctx->selinux_enabled); if (msg == NULL) { return DBUS_HANDLER_RESULT_NOT_YET_HANDLED; } diff --git a/src/oddjob_dbus.h b/src/oddjob_dbus.h index 376121d..d80678e 100644 --- a/src/oddjob_dbus.h +++ b/src/oddjob_dbus.h @@ -39,7 +39,7 @@ struct oddjob_dbus_context; struct oddjob_dbus_message; /* Server */ -struct oddjob_dbus_context *oddjob_dbus_listeners_new(DBusBusType bus); +struct oddjob_dbus_context *oddjob_dbus_listeners_new(DBusBusType bus, dbus_bool_t selinux_enabled); void oddjob_dbus_listeners_reconnect_if_needed(struct oddjob_dbus_context *ctx); void oddjob_dbus_listeners_set_reconnect_timeout(struct oddjob_dbus_context *ctx, int timeout); diff --git a/src/oddjobd.c b/src/oddjobd.c index 8c4b0fe..32d309c 100644 --- a/src/oddjobd.c +++ b/src/oddjobd.c @@ -2985,7 +2985,8 @@ main(int argc, char **argv) globals.config = config; /* Open a connection to the message bus. */ - ctx = oddjob_dbus_listeners_new(options.bus); + check_selinux_applicable(); + ctx = oddjob_dbus_listeners_new(options.bus, globals.selinux_enabled); if (ctx == NULL) { fprintf(stderr, "Error connecting to D-Bus!\n"); return 2; From 9648f39b2e38d8d908b9cda1f0145a9f57d19572 Mon Sep 17 00:00:00 2001 From: Alexander Bokovoy Date: Oct 08 2019 09:31:54 +0000 Subject: [PATCH 2/2] Remove reference to selinux/flask.h --- diff --git a/src/oddjobd.c b/src/oddjobd.c index 32d309c..ca78550 100644 --- a/src/oddjobd.c +++ b/src/oddjobd.c @@ -51,7 +51,6 @@ #ifdef SELINUX_ACLS #include #include -#include #endif #include "buffer.h" #include "common.h" @@ -1973,7 +1972,7 @@ oddjobd_exec_method(struct oddjob_dbus_context *ctx, } if (security_compute_create((char *) client_secontext, helper_context, - SECCLASS_PROCESS, + string_to_security_class("process"), &exec_context) != 0) { /* Failed to compute exec context? */ exec_errno = 0xfe;