Closed bachradsusi closed 9 years ago
If you run the following reproducer
you get
[system] Rejected send message, 1 matched rules; type="method_call", sender=":1.673" (uid=1000 pid=753 comm="/usr/bin/python -Es /usr/bin/sealert -s ") interface="org.fedoraproject.SetroubleshootFixit" member="run_fix" error name="(unset)" requested_reply="0" destination=":1.675" (uid=0 pid=772 comm="/usr/bin/python /usr/share/setroubleshoot/Setroubl")
The "Rejected send message" is not related to the drop privileges but it's due to wrong dbus configuration. I've pushed a fix for that to this branch and run a copr build https://copr.fedoraproject.org/coprs/plautrba/selinux/build/84239/
Please re-review
It works!
setroubleshootd doesn't really need to be run with root privileges. This patch changes code and dbus service setting to run setroubleshoot with setrbleshoot user.
There's available a patch for Fedora dist-git [1]. The patch also changes the spec file to create setroubleshoot user, change owner of /var/lib/setroubleshoot and /var/run/setroubleshoot and add tmpfiles.d configation file to create /run/setroubleshoot directory on boot.
[1] https://plautrba.fedorapeople.org/setroubleshoot/setroubleshootd-run-server-with-setroubleshoot-uid-i.patch src.rpm is available at https://plautrba.fedorapeople.org/setroubleshoot/setroubleshoot-3.2.22-2.fc23.2.src.rpm