Closed dvdhrm closed 1 year ago
(rebased on main
to get a final run on the new CI with selinux enabled)
Backported this feature to rawhide: https://src.fedoraproject.org/rpms/dbus-broker/pull-request/6
cc @dvdhrm could you take a look at that PR for the dbus-broker rpm?
Add support for selinux permissive mode. Since we use
selinux_check_access()
rather than the deprecated direct AVC queries (which dbus-daemon uses), we don't get the automatic enforcing-mode check of the AVC helpers. Instead, we have to manually querysecurity_getenforce()
to get the value.This implementation is modeled similar to the implementation in systemd (src/core/selinux-access.c). It uses a similar optimization via the status-page to avoid an additional syscall on each policy check.
Reported in #315.