dbus-broker blocks method calls even if selinux is in permissive mode

[DaanDeMeyer]

I'm trying to enable selinux in permissive mode in systemd's mkosi development environment (kernel cmdline: selinux=1 enforcing=0). This leads to an unbootable system on Fedora 38 where I see many log messages such as the following:

[   14.082895] dbus-broker[537]: A security policy denied :1.11 to send method call /org/freedesktop/DBus:org.freedesktop.DBus.Hello to org.freedesktop.DBus.
[   14.089441] dbus-broker[537]: A security policy denied :1.11 to send method call /org/freedesktop/DBus:org.freedesktop.DBus.AddMatch to org.freedesktop.DBus.
[   14.091191] dbus-broker[537]: A security policy denied :1.11 to send method call /org/freedesktop/DBus:org.freedesktop.DBus.GetNameOwner to org.freedesktop.DBus.
[   14.093315] dbus-broker[537]: A security policy denied :1.11 to send method call /org/freedesktop/DBus:org.freedesktop.DBus.AddMatch to org.freedesktop.DBus.
[   14.096283] dbus-broker[537]: A security policy denied :1.11 to send method call /org/freedesktop/DBus:org.freedesktop.DBus.GetNameOwner to org.freedesktop.DBus.
[   14.104926] dbus-broker[537]: A security policy denied :1.11 to send method call /org/freedesktop/DBus:org.freedesktop.DBus.AddMatch to org.freedesktop.DBus.
[   14.108630] dbus-broker[537]: A security policy denied :1.11 to send method call /org/freedesktop/DBus:org.freedesktop.DBus.GetNameOwner to org.freedesktop.DBus.
[   14.111382] dbus-broker[537]: A security policy denied :1.11 to send method call /org/freedesktop/DBus:org.freedesktop.DBus.AddMatch to org.freedesktop.DBus.
[   14.114287] dbus-broker[537]: A security policy denied :1.11 to send method call /org/freedesktop/DBus:org.freedesktop.DBus.GetNameOwner to org.freedesktop.DBus.
[   14.119286] dbus-broker[537]: A security policy denied :1.11 to send method call /org/freedesktop/DBus:org.freedesktop.DBus.AddMatch to org.freedesktop.DBus.
[   14.121532] dbus-broker[537]: A security policy denied :1.11 to send method call /org/freedesktop/DBus:org.freedesktop.DBus.GetNameOwner to org.freedesktop.DBus.
[   14.123828] dbus-broker[537]: A security policy denied :1.11 to send method call /org/freedesktop/DBus:org.freedesktop.DBus.AddMatch to org.freedesktop.DBus.
[   14.125690] dbus-broker[537]: A security policy denied :1.11 to send method call /org/freedesktop/DBus:org.freedesktop.DBus.GetNameOwner to org.freedesktop.DBus.

Should dbus-broker check whether selinux is in permissive mode before denying access to send method calls?

[dvdhrm]

Indeed. We never implemented the manual check when converting to selinux_check_access(). I now did this in #318.

[dvdhrm]

(This was fixed in #318, closing now. Thanks a lot for the report!)