SELinux policy reload cannot be sent to audit system
Laurent Bigonville
bigon at debian.org
Tue Nov 3 20:48:31 UTC 2015
Le 03/11/15 21:08, Richard Guy Briggs a écrit :
> On 15/11/03, Steve Grubb wrote:
>> On Tuesday, November 03, 2015 06:12:07 PM Laurent Bigonville wrote:
>>>
>>> I'm running in permissive mode.
>>>
>>> I'm seeing a netlink open to the audit:
>>>
>>> dbus-daem 1057 messagebus 7u netlink 0t0 15248 AUDIT
>>>
>>> Apparently audit_send() returns -1
>> Since its -1, that would be an EPERM. No idea where this is coming from if you
>> have CAP_AUDIT_WRITE. I use pscap to check that.
> Are you in a container of any kind or any non-init USER namespace? I
> can't see it being denied otherwise assuming it is only trying to send
> AUDIT_USER_* class messages. (This assumes upstream kernel.)
No, I initially saw this on my laptop and then tested on F23 in kvm.
> I guess I have to ask which kernel too, since changes to NET and PID
> namespaces are somewhat recent and Debian tends on the side of
> conservative to be stable.
I'm under debian unstable and the kernel I'm running is 4.2
>
>>> I've been to reproduce this on F23 as well.
>> I have not played around with that yet.
> What kernel is that?
4.2 too apparently.
Cheers,
Laurent Bigonville
More information about the Linux-audit
mailing list