Bugzilla – Bug 1217092
[SELinux] fail to dbus-ping avahi service in a distrobox container
Last modified: 2024-01-12 09:50:21 UTC
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:109.0) Gecko/20100101 Firefox/119.0 Build Identifier: `dbus-send --system --print-reply --dest=org.freedesktop.Avahi /org/freedesktop/DBus org.freedesktop.DBus.Peer.Ping` fails to work. It triggers an error: ``` org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. ``` The command used to work but has stopped working since Nov 06 (or the weekend before) It works fine outside of distrobox. It also works if selinux gets turned off. Reproducible: Always Steps to Reproduce: 1. open the tumbleweed distrobox 2. `dbus-send --system --print-reply --dest=org.freedesktop.Avahi /org/freedesktop/DBus org.freedesktop.DBus.Peer.Ping` Actual Results: ``` org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was b Expected Results: I should've got an immediate result like ``` method return time=1699891814.440351 sender=:1.1 -> destination=:1.390 serial=31 reply_serial=2 ```
Thanks for the report. Please have a look at https://en.opensuse.org/openSUSE:Bugreport_SELinux and provide the information that is listed there. Thanks
Additional information: # Operating System: openSUSE MicroOS Desktop (openSUSE Aeon) # SELinux status, mode and policy name SELinux status: enabled SELinuxfs mount: /sys/fs/selinux SELinux root directory: /etc/selinux Loaded policy name: targeted Current mode: enforcing Mode from config file: enforcing Policy MLS status: enabled Policy deny_unknown status: allowed Memory protection checking: actual (secure) Max kernel policy version: 33 # SELinux policy version and repository: Information for package selinux-policy: --------------------------------------- Repository : openSUSE-Tumbleweed-Oss Name : selinux-policy Version : 20231030-1.1 Arch : noarch Vendor : openSUSE Installed Size : 24.8 KiB Installed : Yes (automatically) Status : up-to-date Source package : selinux-policy-20231030-1.1.src Upstream URL : https://github.com/fedora-selinux/selinux-policy.git Summary : SELinux policy configuration Description : SELinux Reference Policy. A complete SELinux policy that can be used as the system policy for a variety of systems and used as the basis for creating other policies. # The software (incl. version) that is affected by the SELinux issue and the error message run the following command in the a distrobox container `dbus-send --system --print-reply --dest=org.freedesktop.Avahi /org/freedesktop/DBus org.freedesktop.DBus.Peer.Ping` Error: ``` org.freedesktop.DBus.Error.NoReply: Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken. # SELinux Audit log sudo ausearch -ts today -m USER_AVC ---- time->Wed Nov 15 13:18:31 2023 type=USER_AVC msg=audit(1700072311.494:127): pid=1037 uid=484 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: denied { send_msg } for msgtype=method_return dest=:1.139 spid=1034 tpid=6336 scontext=system_u:system_r:avahi_t:s0 tcontext=unconfined_u:unconfined_r:container_runtime_t:s0 tclass=dbus permissive=0 exe="/usr/bin/dbus-daemon" sauid=484 hostname=? addr=? terminal=?' # The exact steps how to configure and use the system to trigger the AVC Run the command above in a distrobox container
Not an Aeon bug - distrobox and SELinux is more generic than that, assigning to Tumbleweed/SELinux
Hi, sorry for the long delay, but after trying different approaches I could not reproduce the issue. I have openSUSE Aeon with selinux policy version 20231124-1.1 (current version, newer than yours). Then i did this: test@localhost:~> distrobox create -n test ... test@localhost:~> distrobox enter test Starting container... [ OK ] ... (inside the container) test@test:~> sudo mkdir /run/dbus test@test:~> sudo ln -s /run/host/run/dbus/system_bus_socket /run/dbus/system_bus_socket test@test:~> dbus-send --system --print-reply --dest=org.freedesktop.Avahi /org/freedesktop/DBus org.freedesktop.DBus.Peer.Ping method return time=1702048240.291599 sender=:1.2 -> destination=:1.167 serial=38 reply_serial=2 test@test:~> exit logout test@localhost:~> sudo ausearch -m avc -ts today [sudo] password for test: <no matches> Also, I did another setup with a distrobox container created with --init and the dbus-send still works for me. Also tried it with different images, e.g. tumbleweed:latest, no issue. We did quite some big changes in the last selinux-policy update, could you please check if updating fixes it for you? If it does not, could you please share: - how did you set up the dbus socket in the container? - did you provide more arguments when creating the distrobox container or have something in your config that could cause this? Thanks a lot :)
I will close this, as I can not reproduce the issue. Please feel free to reopen if the issue persists :)