1. 14 Jul, 2009 5 commits
  2. 06 May, 2009 3 commits
    • Eamon Walsh's avatar
      libselinux behavior in permissive mode wrt invalid domains · b38c433b
      Eamon Walsh authored
      Stephen Smalley wrote:
      > On Tue, 2009-04-21 at 16:32 -0400, Joshua Brindle wrote:
      >
      >> Stephen Smalley wrote:
      >>
      >>> On Thu, 2009-04-16 at 20:47 -0400, Eamon Walsh wrote:
      
      > >>>> Stephen Smalley wrote:
      > >>>>
      > >> <snip>
      > >>
      > >>
      > >>> No, I don't want to change the behavior upon context_to_sid calls in
      > >>> general, as we otherwise lose all context validity checking in
      > >>> permissive mode.
      
      >>> I think I'd rather change compute_sid behavior to preclude the situation
      >>> from arising in the first place, possibly altering the behavior in
      >>> permissive mode upon an invalid context to fall back on the ssid
      >>> (process) or the tsid (object).  But I'm not entirely convinced any
      >>> change is required here.
      >>>
      >>>
      >> I just want to follow up to make sure we are all on the same page here. Was the
      >> suggestion to change avc_has_perm in libselinux or context_to_sid in the kernel
      >> or leave the code as is and fix the callers of avc_has_perm to correctly handle
      >> error codes?
      >>
      >> I prefer the last approach because of Eamon's explanation, EINVAL is already
      >> passed in errno to specify the context was invalid (and if object managers
      >> aren't handling that correctly now there is a good chance they aren't handling
      >> the ENOMEM case either).
      >>
      >
      > I'd be inclined to change compute_sid (not context_to_sid) in the kernel
      > to prevent invalid contexts from being formed even in permissive mode
      > (scenario is a type transition where role is not authorized for the new
      > type).  That was originally to allow the system to boot in permissive
      > mode.  But an alternative would be to just stay in the caller's context
      > (ssid) in that situation.
      >
      > Changing the callers of avc_has_perm() to handle EINVAL and/or ENOMEM
      > may make sense, but that logic should not depend on enforcing vs.
      > permissive mode.
      >
      >
      
      FWIW, the following patch to D-Bus should help:
      
      bfo21072 - Log SELinux denials better by checking errno for the cause
      
          Note that this does not fully address the bug report since
          EINVAL can still be returned in permissive mode.  However the log
          messages will now reflect the proper cause of the denial.
      Signed-off-by: Eamon Walsh's avatarEamon Walsh <ewalsh@tycho.nsa.gov>
      Signed-off-by: Colin Walters's avatarColin Walters <walters@verbum.org>
      b38c433b
    • Kjartan Maraas's avatar
      Bug 19502 - Sparse warning cleanups · eb3b99e7
      Kjartan Maraas authored
      This patch makes various things that should be static static,
      corrects some "return FALSE" where it should be NULL, etc.
      Signed-off-by: Colin Walters's avatarColin Walters <walters@verbum.org>
      eb3b99e7
    • Colin Walters's avatar
      Always append closing quote in log command · a709566e
      Colin Walters authored
      Patch suggested by Tomas Hoger <thoger@redhat.com>
      a709566e
  3. 06 Jan, 2009 5 commits
  4. 18 Dec, 2008 2 commits
  5. 16 Dec, 2008 1 commit
  6. 12 Dec, 2008 3 commits
  7. 09 Dec, 2008 3 commits
  8. 05 Dec, 2008 1 commit
  9. 28 Jul, 2008 1 commit
  10. 15 Jul, 2008 1 commit
  11. 12 Jul, 2008 3 commits
    • Ray Strode's avatar
      Update man page to make the point of the <type> element more clear · 01e50bcd
      Ray Strode authored
      There have been a number of patches in the past try to key system
      versus session bus policy off of the message bus type, when the
      policy should be distinguished from more fine-grained options in the
      individulal policy files.  Hopefully, this man page update will make
      that more clear.
      01e50bcd
    • Ray Strode's avatar
      Add new UpdateActivationEnvironment bus message · 37853b6d
      Ray Strode authored
      It adjusts the environment of activated bus clients.
      This is important for session managers that get started
      after the session bus daemon and want to influence the
      environment of desktop services that are started by the
      bus.
      37853b6d
    • Ray Strode's avatar
      Store what environment to activate with on activation object · 91306ef9
      Ray Strode authored
      We now keep the environment in a hash table member of the
      activation object and provide a method
      bus_activation_set_environment_variable to modify the
      hash table.  This hash table is seeded initially with the
      environment of the bus daemon itself.
      91306ef9
  12. 05 Jun, 2008 1 commit
    • Colin Walters's avatar
      Bug 15740: Solaris/ADT auditing support (simon zheng) · ab1eb1fd
      Colin Walters authored
      	* bus/driver.c: Add GetAdtAuditSessionData method
      	which returns audit data for a connection.
      	* configure.in: Detect ADT auditing support
      	* dbus/dbus-auth.c: Read ADT auditing creds.
      	* dbus/dbus-connection.c: Implement
      	dbus_connection_get_adt_audit_session_data.
      	* dbus/dbus-connection.h: Export it.
      	* dbus/dbus-credentials.c: Add support for
      	gathering adt_audit_data and retrieving it
      	via _dbus_credentials_get_adt_audit_data.
      	* dbus/dbus-credentials.h: Add
      	DBUS_CREDENTIAL_ADT_AUDIT_DATA_ID.
      	* dbus/dbus-protocol.h: New error
      	DBUS_ERROR_ADT_AUDIT_DATA_UNKNOWN.
      	* dbus/dbus-sysdeps.c: Support for reading
      	audit credentials via ADT API.
      	* dbus/dbus-transport.c: New function
      	_dbus_transport_get_adt_audit_session_data
      	to retrieve credentials.
      	* dbus/dbus-transport.h: Export it.
      ab1eb1fd
  13. 03 Apr, 2008 1 commit
    • Kimmo Hämäläinen's avatar
      fix expiration of pending replies · 7c4b3458
      Kimmo Hämäläinen authored
      * bus/expirelist.c
        (do_expiration_with_current_time): calculate correct min wait time
        and next interval
        (bus_expire_list_add, bus_expire_list_add_link): if the timeout is
        disabled when we add an item to the expire list, enable the timeout
        (do_expiration_with_current_time): only set timeout if there are
        items to expire
      7c4b3458
  14. 01 Apr, 2008 1 commit
    • Frederic Crozat's avatar
      Fixes for the inotify configuration file monitor backend. · 68f69d38
      Frederic Crozat authored
      2008-04-01  Timo Hoenig  <thoenig@suse.de>
      
      Patch from Frederic Crozat <fcrozat@mandriva.com>
      
      * bus/dir-watch-inotify.c (bus_watch_directory): Only monitor
        IN_CLOSE_WRITE, IN_DELETE, IN_MOVE_TO and IN_MOVE_FROM events. This
        way, only atomic changes to configuration file are monitored.
      * bus/dir-watch-inotify.c (_handle_inotify_watch): Fix typo in
        _dbus_verbose function call
      * bus/dir-watch-inotify.c (bus_drop_all_directory_watches): Use
        _dbus_strerror instead of perror
      68f69d38
  15. 04 Mar, 2008 1 commit
    • Havoc Pennington's avatar
      Make BusExpireList an opaque data type · a3740411
      Havoc Pennington authored
      2007-11-08  Havoc Pennington  <hp@redhat.com>
      
      	* bus/connection.c, bus/expirelist.c: Make the BusExpireList
      	struct opaque, adding accessors for manipulating the list. In this
      	commit there should be no change in functionality or behavior. The
      	purpose of this change is to improve encapsulation prior to fixing
      	some bugs Kimmo Hämäläinen found where the timeout is not properly
      	updated, since we need to e.g. take some action whenever adding
      	and removing stuff from the expire list.
      a3740411
  16. 26 Feb, 2008 1 commit
    • John Palmieri's avatar
      CVE-2008-0595 dbus security policy circumvention · 6db561dc
      John Palmieri authored
      * CVE-2008-0595 - security policy of the type <allow send_interface=
        "some.interface.WithMethods"/> work as an implicit allow for
        messages sent without an interface bypassing the default deny rules
        and potentially allowing restricted methods exported on the bus to be
        executed by unauthorized users.  This patch fixes the issue.
      * bus/policy.c (bus_client_policy_check_can_send,
        bus_client_policy_check_can_receive): skip messages without an
        interface when evaluating an allow rule, and thus pass it to the
        default deny rules
      6db561dc
  17. 21 Feb, 2008 1 commit
  18. 17 Jan, 2008 1 commit
    • John Palmieri's avatar
      fix inotify support · e1821fc3
      John Palmieri authored
      2008-01-17  Timo Hoenig  <thoenig@suse.de>
      	* fix inotify support
      	* bus/dir-watch-inotify.c (_handle_inotify_watch): fix reading of the
      	inotify events. Also, use ssize_t not size_t for 'ret'.
      	* bus/dir-watch-inotify.c (bus_watch_directory): watch not only for
      	IN_MODIFY but also for IN_CREATE and IN_DELETE
      	* bus/dir-watch-inotify.c (bus_drop_all_directory_watches): drop the
      	inotify watches more elegantly by closing inotify:_fd, set inotify_fd to
      	-1 after dropping the watches
      e1821fc3
  19. 15 Jan, 2008 5 commits
    • John Palmieri's avatar
      add lsb headers to init script (FDO Bug #11491) · 71c26770
      John Palmieri authored
      2008-01-15  John (J5) Palmieri  <johnp@redhat.com>
      
      	* bus/messagebus.in: add lsb headers (FDO Bug #11491)
      71c26770
    • John Palmieri's avatar
      check failed allocation (FDO Bug #12920) · 4cc2bfa1
      John Palmieri authored
      2008-01-15  John (J5) Palmieri  <johnp@redhat.com>
      
      	* patch by Kimmo Hämäläinen <kimmo dot hamalainen at nokia dot com>
      
      	* bus/bus.c (setup_server): check failed allocation (FDO Bug #12920)
      4cc2bfa1
    • John Palmieri's avatar
      rewrite selinux error handling to not abort due to a NULL read · 9db43592
      John Palmieri authored
      2008-01-15  John (J5) Palmieri  <johnp@redhat.com>
      
      	* bus/bus.c (bus_context_check_security_policy): rewrite selinux error
      	handling to not abort due to a NULL read and to set the error only if
      	it is not already set (Based off of FDO Bug #12430)
      9db43592
    • John Palmieri's avatar
      remove dead code · f72bb380
      John Palmieri authored
      2008-01-15  John (J5) Palmieri  <johnp@redhat.com>
      
      	* patch by Kimmo Hämäläinen <kimmo dot hamalainen at nokia dot com>
      
      	* bus/config-parser.c (locate_attributes): remove dead code which
      	always evaluated to TRUE
      
      	* dbus/dbus-shell.c (_dbus_shell_quote): remove unused code
      f72bb380
    • John Palmieri's avatar
      plug a possible BusClientPolicy leak (FDO Bug #13242) · fec58d8d
      John Palmieri authored
      2008-01-14  John (J5) Palmieri  <johnp@redhat.com>
      
      	* patch by Kimmo Hämäläinen <kimmo dot hamalainen at nokia dot com>
      
      	* bus/connection.c (bus_connection_complete): plug a possible
      	BusClientPolicy leak (FDO Bug #13242)
      fec58d8d