SELinux policy reload cannot be sent to audit system
Laurent Bigonville
bigon at debian.org
Thu Nov 5 08:32:09 UTC 2015
Le 05/11/15 04:23, Steve Grubb a écrit :
> On Tuesday, November 03, 2015 09:48:31 PM Laurent Bigonville wrote:
>> Le 03/11/15 21:08, Richard Guy Briggs a écrit :
>>> On 15/11/03, Steve Grubb wrote:
>>>> On Tuesday, November 03, 2015 06:12:07 PM Laurent Bigonville wrote:
>>>>> I'm running in permissive mode.
>>>>>
>>>>> I'm seeing a netlink open to the audit:
>>>>>
>>>>> dbus-daem 1057 messagebus 7u netlink 0t0 15248 AUDIT
>>>>>
>>>>> Apparently audit_send() returns -1
>>>> Since its -1, that would be an EPERM. No idea where this is coming from
>>>> if you have CAP_AUDIT_WRITE. I use pscap to check that.
>>> Are you in a container of any kind or any non-init USER namespace? I
>>> can't see it being denied otherwise assuming it is only trying to send
>>> AUDIT_USER_* class messages. (This assumes upstream kernel.)
>> No, I initially saw this on my laptop and then tested on F23 in kvm.
> I tested this on Fedora 22 and did not get a USER_AVC from dbus, but I also
> did not get an error message in syslog. So, I don't know what to make of it.
> (And for the record, I have a bz open saying that USER_AVC is the wrong event
> type. They are blaming libselinux but I blame them for not using
> AUDIT_USER_MAC_POLICY_LOAD.)
The audit code in dbus has been refactored a bit in the version present
F23 and debian unstable, so it might be related to this that.
Do you still have the number of that bz bug?
Cheers,
Laurent Bigonville
More information about the Linux-audit
mailing list