SELinux policy reload cannot be sent to audit system
Laurent Bigonville
bigon at debian.org
Tue Nov 3 17:12:07 UTC 2015
Le 03/11/15 17:28, Steve Grubb a écrit :
> On Tuesday, November 03, 2015 05:05:55 PM Laurent Bigonville wrote:
>> Hi,
>>
>> With dbus 1.10.2 (on Debian), when I'm running "semodule -B", the system
>> dbus daemon is complaining with the following message:
>>
>> nov 03 15:02:57 soldur dbus[1057]: Can't send to audit system: USER_AVC
>> avc: received policyload notice (seqno=3) exe="/usr/bin/dbus-daemon"
>> sauid=102 hostname=? addr=? terminal=?
>>
>> This is the system dbus daemon running as "messagebus":
>>
>> message+ 1057 0.0 0.0 127756 4524 ? Ssl 10:39 0:11
>> /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile
>> --systemd-activation
>>
>> Looking at the capabilities:
>>
>> $ sudo getpcaps 1057
>> Capabilities for `1057': = cap_audit_write+ep
>>
>> All other user_avc seems to be properly logged in audit.
>>
>> An idea?
> I'd patch it to syslog errno and other information to locate the syscall
> that's failing. Did socket fail? Did the send fail? Does it work in permissive
> mode?
I'm running in permissive mode.
I'm seeing a netlink open to the audit:
dbus-daem 1057 messagebus 7u netlink 0t0 15248 AUDIT
Apparently audit_send() returns -1
I've been to reproduce this on F23 as well.
BTW if I'm trying to compile audit with gcc optimization disabled (-O0)
I get:
libtool: link: gcc -D_GNU_SOURCE -g -O0 -fstack-protector-strong
-Wformat -Werror=format-security -Wl,-z -Wl,relro -Wl,--as-needed -o
.libs/auvirt auvirt.o auvirt-list.o ausearch-time.o -L../../auparse
/<<PKGBUILDDIR>>/debian/build/auparse/.libs/libauparse.so
auvirt.o: In function `process_machine_id_event':
/<<PKGBUILDDIR>>/debian/build/tools/auvirt/../../../../tools/auvirt/auvirt.c:484:
undefined reference to `copy_str'
Cheers,
Laurent Bigonville
More information about the Linux-audit
mailing list