SELinux policy reload cannot be sent to audit system
Richard Guy Briggs
rgb at redhat.com
Tue Nov 3 20:08:11 UTC 2015
On 15/11/03, Steve Grubb wrote:
> On Tuesday, November 03, 2015 06:12:07 PM Laurent Bigonville wrote:
> > Le 03/11/15 17:28, Steve Grubb a écrit :
> > > On Tuesday, November 03, 2015 05:05:55 PM Laurent Bigonville wrote:
> > >> Hi,
> > >>
> > >> With dbus 1.10.2 (on Debian), when I'm running "semodule -B", the system
> > >> dbus daemon is complaining with the following message:
> > >>
> > >> nov 03 15:02:57 soldur dbus[1057]: Can't send to audit system: USER_AVC
> > >> avc: received policyload notice (seqno=3) exe="/usr/bin/dbus-daemon"
> > >> sauid=102 hostname=? addr=? terminal=?
> > >>
> > >> This is the system dbus daemon running as "messagebus":
> > >>
> > >> message+ 1057 0.0 0.0 127756 4524 ? Ssl 10:39 0:11
> > >> /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile
> > >> --systemd-activation
> > >>
> > >> Looking at the capabilities:
> > >>
> > >> $ sudo getpcaps 1057
> > >> Capabilities for `1057': = cap_audit_write+ep
> > >>
> > >> All other user_avc seems to be properly logged in audit.
> > >>
> > >> An idea?
> > >
> > > I'd patch it to syslog errno and other information to locate the syscall
> > > that's failing. Did socket fail? Did the send fail? Does it work in
> > > permissive mode?
> >
> > I'm running in permissive mode.
> >
> > I'm seeing a netlink open to the audit:
> >
> > dbus-daem 1057 messagebus 7u netlink 0t0 15248 AUDIT
> >
> > Apparently audit_send() returns -1
>
> Since its -1, that would be an EPERM. No idea where this is coming from if you
> have CAP_AUDIT_WRITE. I use pscap to check that.
Are you in a container of any kind or any non-init USER namespace? I
can't see it being denied otherwise assuming it is only trying to send
AUDIT_USER_* class messages. (This assumes upstream kernel.)
I guess I have to ask which kernel too, since changes to NET and PID
namespaces are somewhat recent and Debian tends on the side of
conservative to be stable.
> > I've been to reproduce this on F23 as well.
>
> I have not played around with that yet.
What kernel is that?
> > BTW if I'm trying to compile audit with gcc optimization disabled (-O0)
> > I get:
> >
> > libtool: link: gcc -D_GNU_SOURCE -g -O0 -fstack-protector-strong
> > -Wformat -Werror=format-security -Wl,-z -Wl,relro -Wl,--as-needed -o
> > .libs/auvirt auvirt.o auvirt-list.o ausearch-time.o -L../../auparse
> > /<<PKGBUILDDIR>>/debian/build/auparse/.libs/libauparse.so
> > auvirt.o: In function `process_machine_id_event':
> > /<<PKGBUILDDIR>>/debian/build/tools/auvirt/../../../../tools/auvirt/auvirt.c
> > :484: undefined reference to `copy_str'
>
> Thanks. I see a similar report with a patch from yoctoproject.org whatever
> that is. I don't recall seeing the patch sent here. They list it as a C99
> compiler change in semantics for inline functions. I have fixed this differently
> in the upstream code as commit #1132
Yocto is a framework for developing distributions for embedded devices.
> https://fedorahosted.org/audit/changeset/1132
>
> Thanks,
> -Steve
- RGB
--
Richard Guy Briggs <rbriggs at redhat.com>
Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat
Remote, Ottawa, Canada
Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545
More information about the Linux-audit
mailing list