[Bug 1252821] Re: Apparmor rejects connection to dbus-daemon when address is used
Tyler Hicks
tyhicks at canonical.com
Tue Nov 19 18:28:00 UTC 2013
** Project changed: apparmor => dbus
** Changed in: dbus
Assignee: (unassigned) => Tyler Hicks (tyhicks)
** Project changed: dbus => dbus (Ubuntu)
--
You received this bug notification because you are a member of Ubuntu
Foundations Bugs, which is subscribed to dbus in Ubuntu.
https://bugs.launchpad.net/bugs/1252821
Title:
Apparmor rejects connection to dbus-daemon when address is used
Status in “dbus” package in Ubuntu:
New
Bug description:
When using a custom dbus-daemon listening on an address, apparmor
always rejects the call, unless disabled
dbus-daemon --config-file=/etc/dbus-1/custom.conf
with <listen>tcp:host=127.0.0.1,bind=*,port=14500</listen>
- when i used <apparmor mode="disabled"/> in /etc/dbus-1/custom.conf,
everyhing works fine as expected
- when enabling and setting a apparmor profile :
- if using system dbus (instead of custom) -> works fine
- when launching the daemon and attempting to register a service :
telnet 127.0.0.1 14500 -> (I also added a apparmor profile to let it through dbus)
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.
daemon attempting to open a QDbusConnection to register service :
QDBusConnection last error message:
failed to 127.0.0.1:14500 (Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.)
After posting to lists.ubuntu.com/apparmor, got reply from Tyler Hicks
"AppArmor should be disabled if a tcp address is used. The
AppArmor mediation code only has the ability to check peer labels over
UNIX domain sockets. It is most likely seeing an error when getting the
label and then refusing the connection.
It looks like the SELinux mediation support in D-Bus has the same bug:
https://bugzilla.redhat.com/show_bug.cgi?id=890658"
-> opening bug here @ Tyler request.
Regards
seb
profile for daemon looks like :
/usr/lib/kde4/libexec/mydaemon {
dbus,
network ,
capability,
….
}
/etc/dbus-1/custom.conf :
<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
<fork/>
<servicedir>/usr/share/dbus-1/system-services</servicedir>
<syslog/>
<listen>tcp:host=127.0.0.1,bind=*,port=14500</listen>
<allow_anonymous/>
<includedir>/etc/dbus-1/system.d/</includedir>
</busconfig>
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/dbus/+bug/1252821/+subscriptions
More information about the foundations-bugs
mailing list