SELinux policy reload cannot be sent to audit system

Steve Grubb sgrubb at redhat.com
Tue Nov 3 16:28:49 UTC 2015


On Tuesday, November 03, 2015 05:05:55 PM Laurent Bigonville wrote:
> Hi,
> 
> With dbus 1.10.2 (on Debian), when I'm running "semodule -B", the system
> dbus daemon is complaining with the following message:
> 
> nov 03 15:02:57 soldur dbus[1057]: Can't send to audit system: USER_AVC
> avc:  received policyload notice (seqno=3) exe="/usr/bin/dbus-daemon"
> sauid=102 hostname=? addr=? terminal=?
> 
> This is the system dbus daemon running as "messagebus":
> 
> message+  1057  0.0  0.0 127756  4524 ?        Ssl  10:39   0:11
> /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile
> --systemd-activation
> 
> Looking at the capabilities:
> 
> $ sudo getpcaps 1057
> Capabilities for `1057': = cap_audit_write+ep
> 
> All other user_avc seems to be properly logged in audit.
> 
> An idea?

I'd patch it to syslog errno and other information to locate the syscall 
that's failing. Did socket fail? Did the send fail? Does it work in permissive 
mode?

-Steve




More information about the Linux-audit mailing list