Loadable security modules for D-Bus

Lennart Poettering mzqohf at 0pointer.de
Tue Jan 10 16:04:03 PST 2012


On Mon, 09.01.12 22:13, Marcel Holtmann (marcel at holtmann.org) wrote:

> 
> Hi Lennart,
> 
> > > I do question the general usefulness of D-Bus security. I think it is
> > > pretty clear by now that static configuration is not really useful
> > > anyway. So not doing this at all and even getting rid of SELinux support
> > > might be a good idea.
> > > 
> > > The only security related policy should be which daemon can own which
> > > system bus name. And this might be a good option to be enforced by a
> > > systemd unit file for that service.
> > > 
> > > Everything else should be left up to the daemon and enforced dynamically
> > > via PolicyKit or similar technologies.
> > 
> > I tend to agree with this. I think the per-method security policy is way
> > to baroque. Service-based access should suffice, and the emphasis be put
> > on PK for everything else.
> 
> so if we follow this and accept the fact that method or interface based
> security model for D-Bus is basically to inflexible and thus useless,
> the recommendation should be to remove SELinux support from D-Bus bus
> daemon.

Well, I'd assume that the most basic per-service access control (which
as mentioned we need to keep around) would still need to do some selinux
magic.

Lennart

-- 
Lennart Poettering - Red Hat, Inc.


More information about the dbus mailing list