From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: SELinux policy reload cannot be sent to audit system
Date: Tue, 03 Nov 2015 11:28:49 -0500
Message-ID: <1758315.3fUBHW9xxQ@x2>
References: <5638DB63.7010204@debian.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <5638DB63.7010204@debian.org>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday, November 03, 2015 05:05:55 PM Laurent Bigonville wrote:
> Hi,
> 
> With dbus 1.10.2 (on Debian), when I'm running "semodule -B", the system
> dbus daemon is complaining with the following message:
> 
> nov 03 15:02:57 soldur dbus[1057]: Can't send to audit system: USER_AVC
> avc:  received policyload notice (seqno=3) exe="/usr/bin/dbus-daemon"
> sauid=102 hostname=? addr=? terminal=?
> 
> This is the system dbus daemon running as "messagebus":
> 
> message+  1057  0.0  0.0 127756  4524 ?        Ssl  10:39   0:11
> /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile
> --systemd-activation
> 
> Looking at the capabilities:
> 
> $ sudo getpcaps 1057
> Capabilities for `1057': = cap_audit_write+ep
> 
> All other user_avc seems to be properly logged in audit.
> 
> An idea?

I'd patch it to syslog errno and other information to locate the syscall 
that's failing. Did socket fail? Did the send fail? Does it work in permissive 
mode?

-Steve