From mboxrd@z Thu Jan 1 00:00:00 1970 From: Laurent Bigonville Subject: Re: SELinux policy reload cannot be sent to audit system Date: Fri, 6 Nov 2015 00:19:17 +0100 Message-ID: <563BE3F5.6030808@debian.org> References: <5638DB63.7010204@debian.org> <2867240.eZb4Ly0uub@x2> <563B1409.3030803@debian.org> <4121374.MmbOH8Er09@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="windows-1252"; Format="flowed" Content-Transfer-Encoding: quoted-printable Return-path: Received: from mx1.redhat.com (ext-mx02.extmail.prod.ext.phx2.redhat.com [10.5.110.26]) by int-mx14.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id tA5NJRsm029334 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Thu, 5 Nov 2015 18:19:28 -0500 Received: from anor.bigon.be (anor.bigon.be [91.121.173.99]) by mx1.redhat.com (Postfix) with ESMTPS id 3B3BD8E360 for ; Thu, 5 Nov 2015 23:19:26 +0000 (UTC) Received: from anor.bigon.be (localhost.localdomain [127.0.0.1]) by anor.bigon.be (Postfix) with ESMTP id 15DFD1A1BB for ; Fri, 6 Nov 2015 00:19:24 +0100 (CET) Received: from anor.bigon.be ([127.0.0.1]) by anor.bigon.be (anor.bigon.be [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id MR--0ETjKDzH for ; Fri, 6 Nov 2015 00:19:19 +0100 (CET) Received: from [IPv6:2a02:578:85fc:1:6c0f:d8f0:feb1:4106] (unknown [IPv6:2a02:578:85fc:1:6c0f:d8f0:feb1:4106]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: bigon) by anor.bigon.be (Postfix) with ESMTPSA id 8E60D1A070 for ; Fri, 6 Nov 2015 00:19:18 +0100 (CET) In-Reply-To: <4121374.MmbOH8Er09@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Le 06/11/15 00:03, Steve Grubb a =E9crit : > On Thursday, November 05, 2015 09:32:09 AM Laurent Bigonville wrote: >> Le 05/11/15 04:23, Steve Grubb a =E9crit : >>> On Tuesday, November 03, 2015 09:48:31 PM Laurent Bigonville wrote: >>>> Le 03/11/15 21:08, Richard Guy Briggs a =E9crit : >>>>> On 15/11/03, Steve Grubb wrote: >>>>>> On Tuesday, November 03, 2015 06:12:07 PM Laurent Bigonville wrote: >>>>>>> I'm running in permissive mode. >>>>>>> >>>>>>> I'm seeing a netlink open to the audit: >>>>>>> >>>>>>> dbus-daem 1057 messagebus 7u netlink 0t0 15248 AUDIT >>>>>>> >>>>>>> Apparently audit_send() returns -1 >>>>>> Since its -1, that would be an EPERM. No idea where this is coming f= rom >>>>>> if you have CAP_AUDIT_WRITE. I use pscap to check that. >>>>> Are you in a container of any kind or any non-init USER namespace? I >>>>> can't see it being denied otherwise assuming it is only trying to send >>>>> AUDIT_USER_* class messages. (This assumes upstream kernel.) >>>> No, I initially saw this on my laptop and then tested on F23 in kvm. >>> I tested this on Fedora 22 and did not get a USER_AVC from dbus, but I >>> also >>> did not get an error message in syslog. So, I don't know what to make of >>> it. (And for the record, I have a bz open saying that USER_AVC is the >>> wrong event type. They are blaming libselinux but I blame them for not >>> using >>> AUDIT_USER_MAC_POLICY_LOAD.) >> The audit code in dbus has been refactored a bit in the version present >> F23 and debian unstable, so it might be related to this that. > > I filed a bz to get this fixed: > https://bugzilla.redhat.com/show_bug.cgi?id=3D1278602 > > The root cause is listed in the bug. Dbus has 2 threads, one with > CAP_AUDIT_WRITE and one without. The one without is the one trying to sen= d the > event. Thanks, I've opened a bug upstream too: = https://bugs.freedesktop.org/show_bug.cgi?id=3D92832