SELinux policy reload cannot be sent to audit system
Steve Grubb
sgrubb at redhat.com
Tue Nov 3 19:33:00 UTC 2015
On Tuesday, November 03, 2015 06:12:07 PM Laurent Bigonville wrote:
> Le 03/11/15 17:28, Steve Grubb a écrit :
> > On Tuesday, November 03, 2015 05:05:55 PM Laurent Bigonville wrote:
> >> Hi,
> >>
> >> With dbus 1.10.2 (on Debian), when I'm running "semodule -B", the system
> >> dbus daemon is complaining with the following message:
> >>
> >> nov 03 15:02:57 soldur dbus[1057]: Can't send to audit system: USER_AVC
> >> avc: received policyload notice (seqno=3) exe="/usr/bin/dbus-daemon"
> >> sauid=102 hostname=? addr=? terminal=?
> >>
> >> This is the system dbus daemon running as "messagebus":
> >>
> >> message+ 1057 0.0 0.0 127756 4524 ? Ssl 10:39 0:11
> >> /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile
> >> --systemd-activation
> >>
> >> Looking at the capabilities:
> >>
> >> $ sudo getpcaps 1057
> >> Capabilities for `1057': = cap_audit_write+ep
> >>
> >> All other user_avc seems to be properly logged in audit.
> >>
> >> An idea?
> >
> > I'd patch it to syslog errno and other information to locate the syscall
> > that's failing. Did socket fail? Did the send fail? Does it work in
> > permissive mode?
>
> I'm running in permissive mode.
>
> I'm seeing a netlink open to the audit:
>
> dbus-daem 1057 messagebus 7u netlink 0t0 15248 AUDIT
>
> Apparently audit_send() returns -1
Since its -1, that would be an EPERM. No idea where this is coming from if you
have CAP_AUDIT_WRITE. I use pscap to check that.
> I've been to reproduce this on F23 as well.
I have not played around with that yet.
> BTW if I'm trying to compile audit with gcc optimization disabled (-O0)
> I get:
>
> libtool: link: gcc -D_GNU_SOURCE -g -O0 -fstack-protector-strong
> -Wformat -Werror=format-security -Wl,-z -Wl,relro -Wl,--as-needed -o
> .libs/auvirt auvirt.o auvirt-list.o ausearch-time.o -L../../auparse
> /<<PKGBUILDDIR>>/debian/build/auparse/.libs/libauparse.so
> auvirt.o: In function `process_machine_id_event':
> /<<PKGBUILDDIR>>/debian/build/tools/auvirt/../../../../tools/auvirt/auvirt.c
> :484: undefined reference to `copy_str'
Thanks. I see a similar report with a patch from yoctoproject.org whatever
that is. I don't recall seeing the patch sent here. They list it as a C99
compiler change in semantics for inline functions. I have fixed this differently
in the upstream code as commit #1132
https://fedorahosted.org/audit/changeset/1132
Thanks,
-Steve
More information about the Linux-audit
mailing list