mirror of
https://gitlab.freedesktop.org/dbus/dbus.git
synced 2025-12-23 13:00:09 +01:00
Initialize audit subsystem even for the session bus
If SELinux is enabled on the system, dbus will check the permissions but no audit trails will be generated in case of denial as the audit subsystem is not initialized. Same should apply for apparmor. [smcv: without audit, the equivalent of the audit trail goes to stderr where it can be picked up by systemd-journald] A unprivileged user should be able to open the audit socket (audit_open()) but should not have the permissions to log an audit trail. The CAP_AUDIT_WRITE file capability could be set on the dbus-daemon executable in order to allow the session bus to log an AVC denial. Bug: https://bugs.freedesktop.org/show_bug.cgi?id=83856 [smcv: s/should/could/ in commit message to reflect lack of consensus that "setcap cap_audit_write+ep dbus-daemon" is desirable in general] Reviewed-by: Simon McVittie <simon.mcvittie@collabora.co.uk>
This commit is contained in:
Laurent Bigonville
Simon McVittie
parent
2602ca61c5
commit
517c4685a8
1 changed files with 2 additions and 2 deletions
|
|
@ -972,10 +972,10 @@ bus_context_new (const DBusString *config_file,
|
||||||
_DBUS_ASSERT_ERROR_IS_SET (error);
|
_DBUS_ASSERT_ERROR_IS_SET (error);
|
||||||
goto failed;
|
goto failed;
|
||||||
}
|
}
|
||||||
|
|
||||||
bus_audit_init (context);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
|
bus_audit_init (context);
|
||||||
|
|
||||||
dbus_server_free_data_slot (&server_data_slot);
|
dbus_server_free_data_slot (&server_data_slot);
|
||||||
|
|
||||||
return context;
|
return context;
|
||||||
|
|
|
||||||
Loading…
Add table
Reference in a new issue