Apparmor rejects connection to dbus-daemon when address is used
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| dbus (Ubuntu) |
Confirmed
|
Undecided
|
Tyler Hicks | ||
Bug Description
When using a custom dbus-daemon listening on an address, apparmor always rejects the call, unless disabled
dbus-daemon --config-
with <listen>
- when i used <apparmor mode="disabled"/> in /etc/dbus-
- when enabling and setting a apparmor profile :
- if using system dbus (instead of custom) -> works fine
- when launching the daemon and attempting to register a service :
telnet 127.0.0.1 14500 -> (I also added a apparmor profile to let it through dbus)
Escape character is '^]'.
daemon attempting to open a QDbusConnection to register service :
QDBusConnection last error message:
failed to 127.0.0.1:14500 (Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.)
After posting to lists.ubuntu.
"AppArmor should be disabled if a tcp address is used. The
AppArmor mediation code only has the ability to check peer labels over
UNIX domain sockets. It is most likely seeing an error when getting the
label and then refusing the connection.
It looks like the SELinux mediation support in D-Bus has the same bug:
https:/
-> opening bug here @ Tyler request.
Regards
seb
profile for daemon looks like :
/usr/lib/
dbus,
network ,
capability,
….
}
/etc/dbus-
<!DOCTYPE busconfig PUBLIC "-//freedesktop
"http://
<busconfig>
<fork/>
<servicedir>
<syslog/>
<listen>
<allow_anonymous/>
<includedir>
</busconfig>
| affects: | apparmor → dbus |
| Changed in dbus: | |
| assignee: | nobody → Tyler Hicks (tyhicks) |
| affects: | dbus → dbus (Ubuntu) |
| Launchpad Janitor (janitor) wrote | #1 |
| Changed in dbus (Ubuntu): | |
| status: | New → Confirmed |
Status changed to 'Confirmed' because the bug affects multiple users.