search

bus1 / dbus-broker

Linux D-Bus Message Broker
https://github.com/bus1/dbus-broker/wiki
Apache License 2.0
667 stars 78 forks source link

selinux: support permissive mode #318

Closed dvdhrm closed 1 year ago

dvdhrm commented 1 year ago

Add support for selinux permissive mode. Since we use selinux_check_access() rather than the deprecated direct AVC queries (which dbus-daemon uses), we don't get the automatic enforcing-mode check of the AVC helpers. Instead, we have to manually query security_getenforce() to get the value.

This implementation is modeled similar to the implementation in systemd (src/core/selinux-access.c). It uses a similar optimization via the status-page to avoid an additional syscall on each policy check.

Reported in #315.

dvdhrm commented 1 year ago

(rebased on main to get a final run on the new CI with selinux enabled)

DaanDeMeyer commented 1 year ago

Backported this feature to rawhide: https://src.fedoraproject.org/rpms/dbus-broker/pull-request/6

DaanDeMeyer commented 12 months ago

cc @dvdhrm could you take a look at that PR for the dbus-broker rpm?