SELinux policy reload cannot be sent to audit system
Steve Grubb
sgrubb at redhat.com
Thu Nov 5 03:23:30 UTC 2015
On Tuesday, November 03, 2015 09:48:31 PM Laurent Bigonville wrote:
> Le 03/11/15 21:08, Richard Guy Briggs a écrit :
> > On 15/11/03, Steve Grubb wrote:
> >> On Tuesday, November 03, 2015 06:12:07 PM Laurent Bigonville wrote:
> >>> I'm running in permissive mode.
> >>>
> >>> I'm seeing a netlink open to the audit:
> >>>
> >>> dbus-daem 1057 messagebus 7u netlink 0t0 15248 AUDIT
> >>>
> >>> Apparently audit_send() returns -1
> >>
> >> Since its -1, that would be an EPERM. No idea where this is coming from
> >> if you have CAP_AUDIT_WRITE. I use pscap to check that.
> >
> > Are you in a container of any kind or any non-init USER namespace? I
> > can't see it being denied otherwise assuming it is only trying to send
> > AUDIT_USER_* class messages. (This assumes upstream kernel.)
>
> No, I initially saw this on my laptop and then tested on F23 in kvm.
I tested this on Fedora 22 and did not get a USER_AVC from dbus, but I also
did not get an error message in syslog. So, I don't know what to make of it.
(And for the record, I have a bz open saying that USER_AVC is the wrong event
type. They are blaming libselinux but I blame them for not using
AUDIT_USER_MAC_POLICY_LOAD.)
-Steve
> > I guess I have to ask which kernel too, since changes to NET and PID
> > namespaces are somewhat recent and Debian tends on the side of
> > conservative to be stable.
>
> I'm under debian unstable and the kernel I'm running is 4.2
>
> >>> I've been to reproduce this on F23 as well.
> >>
> >> I have not played around with that yet.
> >
> > What kernel is that?
>
> 4.2 too apparently.
>
> Cheers,
>
> Laurent Bigonville
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list