SELinux policy reload cannot be sent to audit system

Steve Grubb sgrubb at redhat.com
Tue Nov 3 19:33:00 UTC 2015 

On Tuesday, November 03, 2015 06:12:07 PM Laurent Bigonville wrote:
> Le 03/11/15 17:28, Steve Grubb a écrit :
> > On Tuesday, November 03, 2015 05:05:55 PM Laurent Bigonville wrote:
> >> Hi,
> >> 
> >> With dbus 1.10.2 (on Debian), when I'm running "semodule -B", the system
> >> dbus daemon is complaining with the following message:
> >> 
> >> nov 03 15:02:57 soldur dbus[1057]: Can't send to audit system: USER_AVC
> >> avc:  received policyload notice (seqno=3) exe="/usr/bin/dbus-daemon"
> >> sauid=102 hostname=? addr=? terminal=?
> >> 
> >> This is the system dbus daemon running as "messagebus":
> >> 
> >> message+  1057  0.0  0.0 127756  4524 ?        Ssl  10:39   0:11
> >> /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile
> >> --systemd-activation
> >> 
> >> Looking at the capabilities:
> >> 
> >> $ sudo getpcaps 1057
> >> Capabilities for `1057': = cap_audit_write+ep
> >> 
> >> All other user_avc seems to be properly logged in audit.
> >> 
> >> An idea?
> > 
> > I'd patch it to syslog errno and other information to locate the syscall
> > that's failing. Did socket fail? Did the send fail? Does it work in
> > permissive mode?
> 
> I'm running in permissive mode.
> 
> I'm seeing a netlink open to the audit:
> 
> dbus-daem 1057 messagebus    7u  netlink 0t0  15248 AUDIT
> 
> Apparently audit_send() returns -1

Since its -1, that would be an EPERM. No idea where this is coming from if you 
have CAP_AUDIT_WRITE. I use pscap to check that.


> I've been to reproduce this on F23 as well.

I have not played around with that yet. 


> BTW if I'm trying to compile audit with gcc optimization disabled (-O0)
> I get:
> 
> libtool: link: gcc -D_GNU_SOURCE -g -O0 -fstack-protector-strong
> -Wformat -Werror=format-security -Wl,-z -Wl,relro -Wl,--as-needed -o
> .libs/auvirt auvirt.o auvirt-list.o ausearch-time.o  -L../../auparse
> /<<PKGBUILDDIR>>/debian/build/auparse/.libs/libauparse.so
> auvirt.o: In function `process_machine_id_event':
> /<<PKGBUILDDIR>>/debian/build/tools/auvirt/../../../../tools/auvirt/auvirt.c
> :484: undefined reference to `copy_str'

Thanks. I see a similar report with a patch from yoctoproject.org whatever 
that is. I don't recall seeing the patch sent here. They list it as a C99 
compiler change in semantics for inline functions. I have fixed this differently 
in the upstream code as commit #1132

https://fedorahosted.org/audit/changeset/1132

Thanks,
-Steve

More information about the Linux-audit mailing list