Apparmor rejects connection to dbus-daemon when address is used

Bug #1252821 reported by Sebastien Senechal on 2013-11-19
22
This bug affects 4 people
Affects Status Importance Assigned to Milestone
dbus (Ubuntu)
Undecided
Tyler Hicks

Bug Description

When using a custom dbus-daemon listening on an address, apparmor always rejects the call, unless disabled

dbus-daemon --config-file=/etc/dbus-1/custom.conf
with <listen>tcp:host=127.0.0.1,bind=*,port=14500</listen>

- when i used <apparmor mode="disabled"/> in /etc/dbus-1/custom.conf, everyhing works fine as expected

- when enabling and setting a apparmor profile :
    - if using system dbus (instead of custom) -> works fine
    - when launching the daemon and attempting to register a service :

     telnet 127.0.0.1 14500 -> (I also added a apparmor profile to let it through dbus)
            Connected to localhost.
            Escape character is '^]'.
            Connection closed by foreign host.

     daemon attempting to open a QDbusConnection to register service :
QDBusConnection last error message:
failed to 127.0.0.1:14500 (Did not receive a reply. Possible causes include: the remote application did not send a reply, the message bus security policy blocked the reply, the reply timeout expired, or the network connection was broken.)

After posting to lists.ubuntu.com/apparmor, got reply from Tyler Hicks

"AppArmor should be disabled if a tcp address is used. The
AppArmor mediation code only has the ability to check peer labels over
UNIX domain sockets. It is most likely seeing an error when getting the
label and then refusing the connection.

It looks like the SELinux mediation support in D-Bus has the same bug:
 https://bugzilla.redhat.com/show_bug.cgi?id=890658"

-> opening bug here @ Tyler request.

Regards

seb

profile for daemon looks like :
/usr/lib/kde4/libexec/mydaemon {
 dbus,
 network ,
 capability,
 ….
}

/etc/dbus-1/custom.conf :

<!DOCTYPE busconfig PUBLIC "-//freedesktop//DTD D-Bus Bus Configuration 1.0//EN"
"http://www.freedesktop.org/standards/dbus/1.0/busconfig.dtd">
<busconfig>
 <fork/>
 <servicedir>/usr/share/dbus-1/system-services</servicedir>
 <syslog/>
 <listen>tcp:host=127.0.0.1,bind=*,port=14500</listen>
 <allow_anonymous/>
 <includedir>/etc/dbus-1/system.d/</includedir>
</busconfig>

Tyler Hicks (tyhicks) on 2013-11-19
affects: apparmor → dbus
Changed in dbus:
assignee: nobody → Tyler Hicks (tyhicks)
affects: dbus → dbus (Ubuntu)
Launchpad Janitor (janitor) wrote :

Status changed to 'Confirmed' because the bug affects multiple users.

Changed in dbus (Ubuntu):
status: New → Confirmed
To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers