SELinux policy reload cannot be sent to audit system
Paul Moore
paul at paul-moore.com
Tue Nov 3 16:38:30 UTC 2015
On Tue, Nov 3, 2015 at 11:28 AM, Steve Grubb <sgrubb at redhat.com> wrote:
> On Tuesday, November 03, 2015 05:05:55 PM Laurent Bigonville wrote:
>> Hi,
>>
>> With dbus 1.10.2 (on Debian), when I'm running "semodule -B", the system
>> dbus daemon is complaining with the following message:
>>
>> nov 03 15:02:57 soldur dbus[1057]: Can't send to audit system: USER_AVC
>> avc: received policyload notice (seqno=3) exe="/usr/bin/dbus-daemon"
>> sauid=102 hostname=? addr=? terminal=?
>>
>> This is the system dbus daemon running as "messagebus":
>>
>> message+ 1057 0.0 0.0 127756 4524 ? Ssl 10:39 0:11
>> /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile
>> --systemd-activation
>>
>> Looking at the capabilities:
>>
>> $ sudo getpcaps 1057
>> Capabilities for `1057': = cap_audit_write+ep
>>
>> All other user_avc seems to be properly logged in audit.
>>
>> An idea?
>
> I'd patch it to syslog errno and other information to locate the syscall
> that's failing. Did socket fail? Did the send fail? Does it work in permissive
> mode?
I would also verify that your loaded SELinux policy is not blocking
the CAP_AUDIT_WRITE capability or the netlink_audit_socket:nlmsg_relay
permission.
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list