Sometimes can't talk to realmd when selinux is active

[stefwalter]

mvollmer: When selinux is 'enforcing' and cockpitd and realmd have been started in certain ways (which include both being auto-launched by D-Bus), cockpitd does not receive replies from realmd, and times out.

This happens to all replies, such as the initial call to retrieve property values.

I am not entirely sure which ways to start them work, and which don't. I think if it at least one of them is started from the command line, they can communicate. All other ways fail IIRC, like D-Bus autolaunching, systemctl start, and D-Bus autolaunching via systemd.

Which one starts first also doesn't seem to make a difference.

I haven't observed this with any other D-Bus service that cockpitd uses.
We use our own custom realmd package, and I might have broken it.
In any case, disabling selinux makes everything work.

[stefwalter]

mvollmer: This happens even with selinux disabled:

Apr 30 09:43:53 dbus[542]: Encountered error 'Failed to open "/etc/dbus-1/system.d/com.redhat.Cockpit.conf": Permission denied' while parsing '/etc/dbus-1/system.d/com.redhat.Cockpit.conf'

Maybe this is a hint.

[cgwalters]

Use "ps axZ" to see the SELinux security context for the daemons.

The key here is that when started manually, no "domain transition" occurs, so they're running in the same context as your login shell, which is unconfined_t.

By default realmd should run as realmd_t which probably doesn't have permission to talk to unconfined_t.

[stefwalter]

This is a duplicate of #410