SELinux policy reload cannot be sent to audit system
Steve Grubb
sgrubb at redhat.com
Thu Nov 5 23:03:25 UTC 2015
On Thursday, November 05, 2015 09:32:09 AM Laurent Bigonville wrote:
> Le 05/11/15 04:23, Steve Grubb a écrit :
> > On Tuesday, November 03, 2015 09:48:31 PM Laurent Bigonville wrote:
> >> Le 03/11/15 21:08, Richard Guy Briggs a écrit :
> >>> On 15/11/03, Steve Grubb wrote:
> >>>> On Tuesday, November 03, 2015 06:12:07 PM Laurent Bigonville wrote:
> >>>>> I'm running in permissive mode.
> >>>>>
> >>>>> I'm seeing a netlink open to the audit:
> >>>>>
> >>>>> dbus-daem 1057 messagebus 7u netlink 0t0 15248 AUDIT
> >>>>>
> >>>>> Apparently audit_send() returns -1
> >>>>
> >>>> Since its -1, that would be an EPERM. No idea where this is coming from
> >>>> if you have CAP_AUDIT_WRITE. I use pscap to check that.
> >>>
> >>> Are you in a container of any kind or any non-init USER namespace? I
> >>> can't see it being denied otherwise assuming it is only trying to send
> >>> AUDIT_USER_* class messages. (This assumes upstream kernel.)
> >>
> >> No, I initially saw this on my laptop and then tested on F23 in kvm.
> >
> > I tested this on Fedora 22 and did not get a USER_AVC from dbus, but I
> > also
> > did not get an error message in syslog. So, I don't know what to make of
> > it. (And for the record, I have a bz open saying that USER_AVC is the
> > wrong event type. They are blaming libselinux but I blame them for not
> > using
> > AUDIT_USER_MAC_POLICY_LOAD.)
>
> The audit code in dbus has been refactored a bit in the version present
> F23 and debian unstable, so it might be related to this that.
I filed a bz to get this fixed:
https://bugzilla.redhat.com/show_bug.cgi?id=1278602
The root cause is listed in the bug. Dbus has 2 threads, one with
CAP_AUDIT_WRITE and one without. The one without is the one trying to send the
event.
-Steve
More information about the Linux-audit
mailing list