SELinux policy reload cannot be sent to audit system
Steve Grubb
sgrubb at redhat.com
Tue Nov 3 16:28:49 UTC 2015
On Tuesday, November 03, 2015 05:05:55 PM Laurent Bigonville wrote:
> Hi,
>
> With dbus 1.10.2 (on Debian), when I'm running "semodule -B", the system
> dbus daemon is complaining with the following message:
>
> nov 03 15:02:57 soldur dbus[1057]: Can't send to audit system: USER_AVC
> avc: received policyload notice (seqno=3) exe="/usr/bin/dbus-daemon"
> sauid=102 hostname=? addr=? terminal=?
>
> This is the system dbus daemon running as "messagebus":
>
> message+ 1057 0.0 0.0 127756 4524 ? Ssl 10:39 0:11
> /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile
> --systemd-activation
>
> Looking at the capabilities:
>
> $ sudo getpcaps 1057
> Capabilities for `1057': = cap_audit_write+ep
>
> All other user_avc seems to be properly logged in audit.
>
> An idea?
I'd patch it to syslog errno and other information to locate the syscall
that's failing. Did socket fail? Did the send fail? Does it work in permissive
mode?
-Steve
More information about the Linux-audit
mailing list