From 28a3f50fd6946738486ab03fb0798109f00855a8 Mon Sep 17 00:00:00 2001
From: Laurent Bigonville <bigon@bigon.be>
Date: Sun, 8 Nov 2015 14:37:08 +0100
Subject: [PATCH] Initialize SELinux and Apparmor after capabilities are set

avc_init() in the SELinux code path is creating a new thread, we need to
set to capabilities before it gets created so it has the permission to
send audit messages.

It also make more sense to open the audit netlink before the different
logging callbacks are set.
---
 bus/bus.c | 38 +++++++++++++++++++-------------------
 1 file changed, 19 insertions(+), 19 deletions(-)

diff --git a/bus/bus.c b/bus/bus.c
index 128ae3c..6512ca7 100644
--- a/bus/bus.c
+++ b/bus/bus.c
@@ -931,25 +931,6 @@ bus_context_new (const DBusString *config_file,
       !_dbus_pipe_is_stdout_or_stderr (print_pid_pipe))
     _dbus_pipe_close (print_pid_pipe, NULL);
 
-  if (!bus_selinux_full_init ())
-    {
-      bus_context_log (context, DBUS_SYSTEM_LOG_FATAL, "SELinux enabled but D-Bus initialization failed; check system log\n");
-    }
-
-  if (!bus_apparmor_full_init (error))
-    {
-      _DBUS_ASSERT_ERROR_IS_SET (error);
-      goto failed;
-    }
-
-  if (bus_apparmor_enabled ())
-    {
-      /* Only print AppArmor mediation message when syslog support is enabled */
-      if (context->syslog)
-        bus_context_log (context, DBUS_SYSTEM_LOG_INFO,
-                         "AppArmor D-Bus mediation is enabled\n");
-    }
-
   if (!process_config_postinit (context, parser, error))
     {
       _DBUS_ASSERT_ERROR_IS_SET (error);
@@ -976,6 +957,25 @@ bus_context_new (const DBusString *config_file,
 
   bus_audit_init (context);
 
+  if (!bus_selinux_full_init ())
+    {
+      bus_context_log (context, DBUS_SYSTEM_LOG_FATAL, "SELinux enabled but D-Bus initialization failed; check system log\n");
+    }
+
+  if (!bus_apparmor_full_init (error))
+    {
+      _DBUS_ASSERT_ERROR_IS_SET (error);
+      goto failed;
+    }
+
+  if (bus_apparmor_enabled ())
+    {
+      /* Only print AppArmor mediation message when syslog support is enabled */
+      if (context->syslog)
+        bus_context_log (context, DBUS_SYSTEM_LOG_INFO,
+                         "AppArmor D-Bus mediation is enabled\n");
+    }
+
   dbus_server_free_data_slot (&server_data_slot);
 
   return context;
-- 
2.6.2