From mboxrd@z Thu Jan  1 00:00:00 1970
From: Laurent Bigonville <bigon@debian.org>
Subject: SELinux policy reload cannot be sent to audit system
Date: Tue, 3 Nov 2015 17:05:55 +0100
Message-ID: <5638DB63.7010204@debian.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"; Format="flowed"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx04.extmail.prod.ext.phx2.redhat.com
	[10.5.110.28])
	by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id tA3G625J003881
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO)
	for <linux-audit@redhat.com>; Tue, 3 Nov 2015 11:06:03 -0500
Received: from anor.bigon.be (anor.bigon.be [91.121.173.99])
	by mx1.redhat.com (Postfix) with ESMTPS id A3B44225
	for <linux-audit@redhat.com>; Tue,  3 Nov 2015 16:06:01 +0000 (UTC)
Received: from anor.bigon.be (localhost.localdomain [127.0.0.1])
	by anor.bigon.be (Postfix) with ESMTP id C89B21A1BB
	for <linux-audit@redhat.com>; Tue,  3 Nov 2015 17:05:58 +0100 (CET)
Received: from anor.bigon.be ([127.0.0.1])
	by anor.bigon.be (anor.bigon.be [127.0.0.1]) (amavisd-new, port 10026)
	with ESMTP id L_hW0qnSs4dg for <linux-audit@redhat.com>;
	Tue,  3 Nov 2015 17:05:56 +0100 (CET)
Received: from [10.20.80.62] (unknown [193.53.238.201])
	(using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
	(Client did not present a certificate) (Authenticated sender: bigon)
	by anor.bigon.be (Postfix) with ESMTPSA id DEE961A070
	for <linux-audit@redhat.com>; Tue,  3 Nov 2015 17:05:55 +0100 (CET)
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hi,

With dbus 1.10.2 (on Debian), when I'm running "semodule -B", the system 
dbus daemon is complaining with the following message:

nov 03 15:02:57 soldur dbus[1057]: Can't send to audit system: USER_AVC 
avc:  received policyload notice (seqno=3) exe="/usr/bin/dbus-daemon" 
sauid=102 hostname=? addr=? terminal=?

This is the system dbus daemon running as "messagebus":

message+  1057  0.0  0.0 127756  4524 ?        Ssl  10:39   0:11 
/usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile 
--systemd-activation

Looking at the capabilities:

$ sudo getpcaps 1057
Capabilities for `1057': = cap_audit_write+ep

All other user_avc seems to be properly logged in audit.

An idea?

Cheers,

Laurent Bigonville