SE-DBUS

[Havoc Pennington]

Hi,

On Thu, 2004-02-19 at 10:46, Matthew Rickard wrote:
> I've been working on implementing SELinux access controls into the D-BUS
> daemon.  An initial test release of this code is available at 
> http://www.flux.utah.edu/~sds/dbus/
> 
> The README file there gives a general overview of what the new code is
> doing, and some directions for patching and building it.  Basically, the
> security enhancements enforce service acquisition and message sending
> through the D-BUS daemon using a user-space AVC.
> 
> If you have any questions/comments/bug fixes please let me know.
> 

Apologies in advance that I'm pretty ignorant of the SELinux details.
But I do think this is a really important patch and want to get it in.

I've just read through the README so far, at Stephen's urging. I figure
I'll go ahead and follow up on that basis, just so you hear something
sooner rather than later.

Question -

The way I expected the SELinux patch to work before seeing your patch
was the same way UNIX groups currently work. That is, dbus daemon would
query the SELinux contexts applying to each connection using the new
getpeercon(), and then normal D-BUS policies would be applied based on
those contexts. The policies would be defined in the standard D-BUS
config files.

Can you back up and explain why this approach doesn't work and why you
took the approach you did? (I probably need baby steps, don't assume I
know too much about SELinux...)

Colin Walters may have good input here, since he's poked around in both
D-BUS and SELinux code.

Another suggestion I'd make is to add an SELinux section to the dbus man
pages right after the discussion of the user/group based policies, if
you haven't already.

Thanks for helping out on this!

Havoc