From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: SELinux policy reload cannot be sent to audit system Date: Tue, 03 Nov 2015 14:33 -0500 Message-ID: <4171588.zUAisyrW99@x2> References: <5638DB63.7010204@debian.org> <1758315.3fUBHW9xxQ@x2> <5638EAE7.1070506@debian.org> Mime-Version: 1.0 Content-Type: text/plain; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <5638EAE7.1070506@debian.org> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Tuesday, November 03, 2015 06:12:07 PM Laurent Bigonville wrote: > Le 03/11/15 17:28, Steve Grubb a =E9crit : > > On Tuesday, November 03, 2015 05:05:55 PM Laurent Bigonville wrote: > >> Hi, > >> = > >> With dbus 1.10.2 (on Debian), when I'm running "semodule -B", the syst= em > >> dbus daemon is complaining with the following message: > >> = > >> nov 03 15:02:57 soldur dbus[1057]: Can't send to audit system: USER_AVC > >> avc: received policyload notice (seqno=3D3) exe=3D"/usr/bin/dbus-daem= on" > >> sauid=3D102 hostname=3D? addr=3D? terminal=3D? > >> = > >> This is the system dbus daemon running as "messagebus": > >> = > >> message+ 1057 0.0 0.0 127756 4524 ? Ssl 10:39 0:11 > >> /usr/bin/dbus-daemon --system --address=3Dsystemd: --nofork --nopidfile > >> --systemd-activation > >> = > >> Looking at the capabilities: > >> = > >> $ sudo getpcaps 1057 > >> Capabilities for `1057': =3D cap_audit_write+ep > >> = > >> All other user_avc seems to be properly logged in audit. > >> = > >> An idea? > > = > > I'd patch it to syslog errno and other information to locate the syscall > > that's failing. Did socket fail? Did the send fail? Does it work in > > permissive mode? > = > I'm running in permissive mode. > = > I'm seeing a netlink open to the audit: > = > dbus-daem 1057 messagebus 7u netlink 0t0 15248 AUDIT > = > Apparently audit_send() returns -1 Since its -1, that would be an EPERM. No idea where this is coming from if = you = have CAP_AUDIT_WRITE. I use pscap to check that. > I've been to reproduce this on F23 as well. I have not played around with that yet. = > BTW if I'm trying to compile audit with gcc optimization disabled (-O0) > I get: > = > libtool: link: gcc -D_GNU_SOURCE -g -O0 -fstack-protector-strong > -Wformat -Werror=3Dformat-security -Wl,-z -Wl,relro -Wl,--as-needed -o > .libs/auvirt auvirt.o auvirt-list.o ausearch-time.o -L../../auparse > /<>/debian/build/auparse/.libs/libauparse.so > auvirt.o: In function `process_machine_id_event': > /<>/debian/build/tools/auvirt/../../../../tools/auvirt/auvir= t.c > :484: undefined reference to `copy_str' Thanks. I see a similar report with a patch from yoctoproject.org whatever = that is. I don't recall seeing the patch sent here. They list it as a C99 = compiler change in semantics for inline functions. I have fixed this differ= ently = in the upstream code as commit #1132 https://fedorahosted.org/audit/changeset/1132 Thanks, -Steve