Stop using selinux_set_mapping() function
Submitted by Laurent Bigonville
Assigned to D-Bus Maintainers
ATM, when selinux_set_mapping() fails due to an incomplete policy (or no policy at all) dbus-daemon exits even in permissive mode.
This is a bit a problem for people that are developing their policy or for people that need to recover their machines after a miss configuration as dbus-daemon is part of the boot and login process via logind.
I'm actually wondering if that call is needed at all these days. As we could use, I think, avc_context_to_sid(), string_to_security_class() and string_to_av_perm() to get the needed info.
An other solution would be to use selinux_check_access() instead of avc_has_perm() (selinux_check_access() uses avc_has_perm() internally and the function mentioned above internally), the problem is that way we cannot use the cache, I think again, and we might have a performance hit.
selinux_set_mapping() was introduced by:
selinux: Use selinux_set_mapping() to avoid hardcoded constants for policy Previous to the introduction of selinux_set_mapping(), DBus pulled constants generated from the system's policy at build time. But this means it's impossible to replace the system policy without rebuilding userspace components. This patch maps from arbitrary class/perm indices used by D-Bus and the policy values and handles all the translation at runtime on avc_has_perm() calls. Bug: https://bugs.freedesktop.org/attachment.cgi?id=88719 Reviewed-By: Colin Walters <email@example.com> Tested-By: Colin Walters <firstname.lastname@example.org>
Version: git master