|
Bugzilla – Full Text Bug Listing |
| Summary: | [SELinux] fail to dbus-ping avahi service in a distrobox container | ||
|---|---|---|---|
| Product: | [openSUSE] openSUSE Tumbleweed | Reporter: | Fred Fu <moonsolo> |
| Component: | Security | Assignee: | Cathy Hu <cathy.hu> |
| Status: | RESOLVED WORKSFORME | QA Contact: | E-mail List <qa-bugs> |
| Severity: | Normal | ||
| Priority: | P5 - None | CC: | cathy.hu, moonsolo |
| Version: | Current | Flags: | cathy.hu:
needinfo?
(moonsolo) |
| Target Milestone: | --- | ||
| Hardware: | x86 | ||
| OS: | Other | ||
| Whiteboard: | |||
| Found By: | --- | Services Priority: | |
| Business Priority: | Blocker: | --- | |
| Marketing QA Status: | --- | IT Deployment: | --- |
|
Description
Fred Fu
2023-11-13 16:11:07 UTC
Thanks for the report. Please have a look at https://en.opensuse.org/openSUSE:Bugreport_SELinux and provide the information that is listed there. Thanks Additional information: # Operating System: openSUSE MicroOS Desktop (openSUSE Aeon) # SELinux status, mode and policy name SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 # SELinux policy version and repository: Information for package selinux-policy: --------------------------------------- Repository : openSUSE-Tumbleweed-Oss Name : selinux-policy Version : 20231030-1.1 Arch : noarch Vendor : openSUSE Installed Size : 24.8 KiB Installed : Yes (automatically) Status : up-to-date Source package : selinux-policy-20231030-1.1.src Upstream URL : https://github.com/fedora-selinux/selinux-policy.git Summary : SELinux policy configuration Description : SELinux Reference Policy. A complete SELinux policy that can be used as the system policy for a variety of systems and used as the basis for creating other policies. # The software (incl. version) that is affected by the SELinux issue and the error message run the following command in the a distrobox container `dbus-send --system --print-reply --dest=org.freedesktop.Avahi /org/freedesktop/DBus org.freedesktop.DBus.Peer.Ping` Error: ``` org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. # SELinux Audit log sudo ausearch -ts today -m USER_AVC ---- time->Wed Nov 15 13:18:31 2023 type=USER_AVC msg=audit(1700072311.494:127): pid=1037 uid=484 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.139 spid=1034 tpid=6336 scontext=system_u:system_r:avahi_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=484 hostname=? addr=? terminal=?' # The exact steps how to configure and use the system to trigger the AVC Run the command above in a distrobox container Not an Aeon bug - distrobox and SELinux is more generic than that, assigning to Tumbleweed/SELinux Hi, sorry for the long delay, but after trying different approaches I could not reproduce the issue. I have openSUSE Aeon with selinux policy version 20231124-1.1 (current version, newer than yours). Then i did this: test@localhost:~> distrobox create -n test ... test@localhost:~> distrobox enter test Starting container... [ OK ] ... (inside the container) test@test:~> sudo mkdir /run/dbus test@test:~> sudo ln -s /run/host/run/dbus/system_bus_socket /run/dbus/system_bus_socket test@test:~> dbus-send --system --print-reply --dest=org.freedesktop.Avahi /org/freedesktop/DBus org.freedesktop.DBus.Peer.Ping method return time=1702048240.291599 sender=:1.2 -> destination=:1.167 serial=38 reply_serial=2 test@test:~> exit logout test@localhost:~> sudo ausearch -m avc -ts today [sudo] password for test: <no matches> Also, I did another setup with a distrobox container created with --init and the dbus-send still works for me. Also tried it with different images, e.g. tumbleweed:latest, no issue. We did quite some big changes in the last selinux-policy update, could you please check if updating fixes it for you? If it does not, could you please share: - how did you set up the dbus socket in the container? - did you provide more arguments when creating the distrobox container or have something in your config that could cause this? Thanks a lot :) I will close this, as I can not reproduce the issue. Please feel free to reopen if the issue persists :) |