Bug#849636: apt-daily: do not use pidof
Package: apt
Version: 1.4~beta2
The script '/usr/lib/apt/apt.systemd.daily' uses 'pidof dbus-daemon'
to check whether dbus is running and whether to send a message.
With SELinux enabled this causes avc denials like:
type=PROCTITLE msg=audit(12/29/16 07:43:22.385:42209) :
proctitle=pidof dbus-daemon
type=PATH msg=audit(12/29/16 07:43:22.385:42209) : item=0 name=3/stat
nametype=UNKNOWN
type=CWD msg=audit(12/29/16 07:43:22.385:42209) : cwd=/proc
type=SYSCALL msg=audit(12/29/16 07:43:22.385:42209) : arch=armeb
syscall=open per=PER_LINUX_32BIT success=no exit=EACCES(Permission
denied) a0=0x7ec069a4 a1=O_RDONLY|O_NOFOLLOW a2=0x1b6 a3=0x1b6 items=1
ppid=366
1 pid=3797 auid=unset uid=root gid=root euid=root suid=root fsuid=root
egid=root sgid=root fsgid=root tty=(none) ses=unset comm=pidof
exe=/sbin/killall5 subj=system_u:system_r:apt_t:s0 key=(null)
type=AVC msg=audit(12/29/16 07:43:22.385:42209) : avc: denied {
search } for pid=3797 comm=pidof name=3 dev="proc" ino=6775
scontext=system_u:system_r:apt_t:s0
tcontext=system_u:system_r:kernel_t:s0 tclass=di
r permissive=0
I do not like to grant apt these permissions but I also want apt to
announce an update to dbus,
so can you rework the dbus check?
Kindly Regards,
Christian Göttsche
Reply to: