[Bug 1252821] Re: Apparmor rejects connection to dbus-daemon when address is used

Tyler Hicks tyhicks at canonical.com
Tue Nov 19 18:28:00 UTC 2013 

** Project changed: apparmor => dbus

** Changed in: dbus
     Assignee: (unassigned) => Tyler Hicks (tyhicks)

** Project changed: dbus => dbus (Ubuntu)

-- 
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1252821

Title:
  Apparmor rejects connection to dbus-daemon when address is used

Status in “dbus” package in Ubuntu:
  New

Bug description:
  When using a custom dbus-daemon listening on an address, apparmor
  always rejects the call, unless disabled

  dbus-daemon --config-file=/etc/dbus-1/custom.conf
  with <listen>tcp:host=127.0.0.1,bind=*,port=14500</listen>

  - when i used <apparmor mode="disabled"/> in /etc/dbus-1/custom.conf,
  everyhing works fine as expected

  - when enabling and setting a apparmor profile :
      - if using system dbus (instead of custom) -> works fine
      - when launching the daemon and attempting to register a service :

       telnet 127.0.0.1 14500 ->   (I also added a apparmor profile to let it through dbus)
              Connected to localhost.
              Escape character is '^]'.
              Connection closed by foreign host.

       daemon attempting to open a QDbusConnection to register service : 
  QDBusConnection last error message: 
  failed to 127.0.0.1:14500 (Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.)

  
  After posting to lists.ubuntu.com/apparmor, got reply from Tyler Hicks

  "AppArmor should be disabled if a tcp address is used. The
  AppArmor mediation code only has the ability to check peer labels over
  UNIX domain sockets. It is most likely seeing an error when getting the
  label and then refusing the connection.

  It looks like the SELinux mediation support in D-Bus has the same bug:
   https://bugzilla.redhat.com/show_bug.cgi?id=890658"

  -> opening bug here @ Tyler request.

  Regards

  seb

  
  profile for daemon looks like :
  /usr/lib/kde4/libexec/mydaemon {
  	dbus,
  	network ,
  	capability,
  	….
  }

  /etc/dbus-1/custom.conf :

  <!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
  "http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
  <busconfig>
   <fork/>
   <servicedir>/usr/share/dbus-1/system-services</servicedir>
   <syslog/>
   <listen>tcp:host=127.0.0.1,bind=*,port=14500</listen>
   <allow_anonymous/>
   <includedir>/etc/dbus-1/system.d/</includedir>
  </busconfig>

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1252821/+subscriptions

More information about the foundations-bugs mailing list