SELinux policy reload cannot be sent to audit system

Paul Moore paul at paul-moore.com
Fri Nov 6 01:25:13 UTC 2015 

Thanks guys, it looks like you found the root cause.  It was on my
todo list to play with this on Rawhide but I wanted to get through
Richard's patches first.

On Thu, Nov 5, 2015 at 6:19 PM, Laurent Bigonville <bigon at debian.org> wrote:
> Le 06/11/15 00:03, Steve Grubb a écrit :
>
>> On Thursday, November 05, 2015 09:32:09 AM Laurent Bigonville wrote:
>>>
>>> Le 05/11/15 04:23, Steve Grubb a écrit :
>>>>
>>>> On Tuesday, November 03, 2015 09:48:31 PM Laurent Bigonville wrote:
>>>>>
>>>>> Le 03/11/15 21:08, Richard Guy Briggs a écrit :
>>>>>>
>>>>>> On 15/11/03, Steve Grubb wrote:
>>>>>>>
>>>>>>> On Tuesday, November 03, 2015 06:12:07 PM Laurent Bigonville wrote:
>>>>>>>>
>>>>>>>> I'm running in permissive mode.
>>>>>>>>
>>>>>>>> I'm seeing a netlink open to the audit:
>>>>>>>>
>>>>>>>> dbus-daem 1057 messagebus    7u  netlink 0t0  15248 AUDIT
>>>>>>>>
>>>>>>>> Apparently audit_send() returns -1
>>>>>>>
>>>>>>> Since its -1, that would be an EPERM. No idea where this is coming
>>>>>>> from
>>>>>>> if you have CAP_AUDIT_WRITE. I use pscap to check that.
>>>>>>
>>>>>> Are you in a container of any kind or any non-init USER namespace?  I
>>>>>> can't see it being denied otherwise assuming it is only trying to send
>>>>>> AUDIT_USER_* class messages.  (This assumes upstream kernel.)
>>>>>
>>>>> No, I initially saw this on my laptop and then tested on F23 in kvm.
>>>>
>>>> I tested this on Fedora 22 and did not get a USER_AVC from dbus, but I
>>>> also
>>>> did not get an error message in syslog. So, I don't know what to make of
>>>> it. (And for the record, I have a bz open saying that USER_AVC is the
>>>> wrong event type. They are blaming libselinux but I blame them for not
>>>> using
>>>> AUDIT_USER_MAC_POLICY_LOAD.)
>>>
>>> The audit code in dbus has been refactored a bit in the version present
>>> F23 and debian unstable, so it might be related to this that.
>>
>>
>> I filed a bz to get this fixed:
>> https://bugzilla.redhat.com/show_bug.cgi?id=1278602
>>
>> The root cause is listed in the bug. Dbus has 2 threads, one with
>> CAP_AUDIT_WRITE and one without. The one without is the one trying to send
>> the
>> event.
>
> Thanks,
>
> I've opened a bug upstream too:
> https://bugs.freedesktop.org/show_bug.cgi?id=92832
>
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

-- 
paul moore
www.paul-moore.com

More information about the Linux-audit mailing list