From 8f3c034e65de5e40394b53eb276c5945d0c79d71 Mon Sep 17 00:00:00 2001 From: Laurent Bigonville Date: Mon, 15 Jun 2015 15:30:16 +0200 Subject: [PATCH 1/2] Initialize audit subsystem even for the session bus If SELinux is enabled on the system, dbus will check the permissions but no audit trails will be generated in case of denial as the audit subsystem is not initialized. Same should apply for apparmor. A unprivileged user should be able to open the audit socket (audit_open()) but should not have the permissions to log an audit trail. The CAP_AUDIT_WRITE file capability should be set on the dbus-daemon executable in order to allow the session bus to log an AVC denial. https://bugs.freedesktop.org/show_bug.cgi?id=83856 --- bus/bus.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/bus/bus.c b/bus/bus.c index 056f677..128ae3c 100644 --- a/bus/bus.c +++ b/bus/bus.c @@ -972,10 +972,10 @@ bus_context_new (const DBusString *config_file, _DBUS_ASSERT_ERROR_IS_SET (error); goto failed; } - - bus_audit_init (context); } + bus_audit_init (context); + dbus_server_free_data_slot (&server_data_slot); return context; -- 2.1.4