Attention: dbus 0.60-6 breaks avahi, hal ...

Mon Jan 23 18:42:27 UTC 2006

On Monday 23 January 2006 13:27, "John (J5) Palmieri" <johnp at redhat.com> wrote:
>  On Sun, 2006-01-22 at 15:55 -0500, Dan Williams wrote:
>  > On Sun, 2006-01-22 at 15:12 +0000, Richard Hughes wrote:
>  > > On Sun, 2006-01-22 at 19:56 +0530, Rahul Sundaram wrote:
>  > > > Joachim Frieben wrote:
>  > > > 
>  > > > >After udating "dbus" packages to version 0.60-6, "avahi" and
>  > > > >"hal" daemons fail to start up correctly during system boot.
>  > > > >This is very annoying when logging in to a "GNOME" session
>  > > > >as various applications such as the "gnome-power-manager" stop
>  > > > >to work. Media detection is of course also out of order.
>  > > > >The breakage has appeared sometime between version 0.60-3 which
>  > > > >works correctly and the current version. Downgrading to version
>  > > > >0.60-3 allows to recover a working "GNOME" desktop.
>  > > > >  
>  > > > >
>  > > > Looks like dbus is working fine but has a made a incompatible change and 
>  > > > the other programs like avahi and g-p-m needs to be updated. Just a guess.
>  > > 
>  > > g-p-m is working fine with DBUS cvs -- but I believe J5 made some
>  > > changes to the DBUS package for rawhide to put stuff in different
>  > > directories. The breakage is probably due to that.
>  > 
>  > That shouldn't "break stuff" unless avahi and/or hal use paths to
>  > dbus-send or stuff like that (dhclient-script does this, I've fixed it).
>  > Perhaps they do.  Anyone care to check?
>  
>  I'm putting a symlink in /usr/bin/ to "fix" this but applications should
>  fix this by looking in /bin.  Also if you did not update your SELinux
>  policies you will get breakage.  Other than that applications that don't
>  do anything wacky should not break.
>  
>  -- 
>  John (J5) Palmieri <johnp at redhat.com>
>  

The avahi startup issue appears to be caused by an issue with selinux-policy-targeted-2.2.2-1 :

# audit2allow </var/log/audit/audit.log | grep avahi
allow avahi_t initrc_t:unix_stream_socket connectto;

# grep avahi-daemon /var/log/audit/audit.log
type=AVC msg=audit(1138039806.833:117): avc:  denied  { connectto } for  pid=2696 comm="avahi-daemon" name="system_bus_socket" scontext=system_u:system_r:avahi_t:s0 tcontext=system_u:system_r:initrc_t:s0 tclass=unix_stream_socket

This is weird, as the system-bus-socket seems to have the correct context:
$ ls -lZ /var/run/dbus/system_bus_socket
srwxrwxrwx  root     root     system_u:object_r:system_dbusd_var_run_t /var/run/dbus/system_bus_socket

Yet all dbus-daemon's FDs have context system_u:system_r:initrc_t :

# ls -Z /proc/$dbus_daemon_system_pid/fd
...system_u:system_r:initrc_t...

I think this is because /usr/bin/dbus-daemon, which HAD context 'system_u:object_r:system_dbusd_exec_t',
has now moved to /bin, where it now has context 'system_u:object_r:bin_t' .

I'm not sure that just creating links will rectify this ( /bin precedes /usr/bin in the initscripts $PATH )-
selinux-policy needs updating to take account of the new dbus-daemon location.

Thanks & Regards,
Jason Vas Dias <jvdias at redhat.com>