Re: [PATCH v4] libselinux: use kernel status page by default

[Stephen Smalley <stephen.smalley.work@gmail.com>]

On Fri, Jul 24, 2020 at 10:14 AM Mike Palmiotto
<mike.palmiotto@crunchydata.com> wrote:
>
> Commit bc2a8f418e3b ("libselinux: add selinux_status_* interfaces for
> /selinux/status") introduced the sestatus mechanism, which allows for
> mmap()'ing of the kernel status page as a replacement for avc_netlink.
>
> The mechanism was initially intended for use by userspace object
> managers which were calculating access decisions within their
> application and did not rely on the libselinux AVC implementation. In
> order to properly make use of sestatus within avc_has_perm(), the status
> mechanism needs to properly set avc internals during status events;
> else, avc_enforcing is never updated upon sestatus changes.
>
> This commit introduces a new selinux_status_loop() function, which
> replaces the default netlink-equivalent, avc_netlink_loop(). The
> function watches the kernel status page until an error occurs, at which
> point it will exit the thread. In the event that the status page cannot
> be opened (on avc_open), the thread will continue to function as before
> by using a fallback netlink socket.
>
> This allows us to replace the call to avc_netlink_open() in
> avc_init_internal() with a call to selinux_status_open() and remove the
> avc_netlink_check_nb() call from the critical code path in
> avc_has_perm_noaudit(), as well as selinux_check_access().
>
> Userspace object managers that still need a netlink socket can call
> avc_netlink_acquire_fd() to open open and/or obtain one.
>
> Update the manpage to reflect the new avc_netlink_acquire_fd()
> functionality.
>
> Signed-off-by: Mike Palmiotto <mike.palmiotto@crunchydata.com>
> ---
> Testing:
>   - dbus-daemon v1.12.8 on RHEL8.2
>   - dbus-broker v22 on F32

This looks good to me as far as the code is concerned.  However,
installing the patched libselinux and rebooting, I notice that
afterward I have dbus-daemon running on a Fedora rawhide instance and
consuming nearly 100% CPU constantly.  I'm guessing it is sitting in
the status loop. Not sure why there is a dbus-daemon instance running
at all since dbus-broker seems to be the default in Fedora and
systemctl shows dbus-daemon as disabled.  But if I revert to the stock
libselinux, it stops hogging CPU.  Thoughts?