I have an issue in a yocto based embedded linux system. I have tracked it down to an interaction between dbus and SELinux, and using dbus-monitor I can see the following error:
error time=1621869986.514891 sender=org.freedesktop.DBus -> destination=:1.4 error_name=org.freedesktop.DBus.Error.AccessDenied reply_serial=69729
string "An SELinux policy prevents this sender from sending this message to this recipient, 0 matched rules; type="method_return", sender=":1.4" (uid=0 pid=905 comm="/usr/sbin/NetworkManager --no-daemon " label="system_u:system_r:NetworkManager_t:s0") interface="(unset)" member="(unset)" error name="(unset)" requested_reply="0" destination=":1.6390" (uid=0 pid=14426 comm="/opt/metix-embedded/metix-wg-ui " label="system_u:system_r:init_t:s0")"
However, there is no 'AVC denied' error in the audit log, so I cannot use audit2allow to determine an SELinux rule to allow the interaction.
How can I work out the SELinux rule I need from the dbus-monitor error?
Further research shows that dbus itself is an SELinux aware application. It is checking the SELinux configuration, and taking enforcement actions within dbus itself. This accounts for why the denials from dbus do not appear in the audit log, even when silent denials are turned off.
My particular issue was solved by adding some allow rules for 'send_msg' as follows:
allow init_t NetworkManager_t:dbus send_msg;
allow NetworkManager_t init_t:dbus send_msg;
Note that the 'init_t' and 'NetworkManager_t' types are derived from the dbus-monitor error.
Further information: