From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Re: SELinux policy reload cannot be sent to audit system
Date: Wed, 04 Nov 2015 22:23:30 -0500
Message-ID: <2867240.eZb4Ly0uub@x2>
References: <5638DB63.7010204@debian.org>
	<20151103200811.GG1422@madcap2.tricolour.ca>
	<56391D9F.3080301@debian.org>
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
In-Reply-To: <56391D9F.3080301@debian.org>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

On Tuesday, November 03, 2015 09:48:31 PM Laurent Bigonville wrote:
> Le 03/11/15 21:08, Richard Guy Briggs a =E9crit :
> > On 15/11/03, Steve Grubb wrote:
> >> On Tuesday, November 03, 2015 06:12:07 PM Laurent Bigonville wrote:
> >>> I'm running in permissive mode.
> >>> =

> >>> I'm seeing a netlink open to the audit:
> >>> =

> >>> dbus-daem 1057 messagebus    7u  netlink 0t0  15248 AUDIT
> >>> =

> >>> Apparently audit_send() returns -1
> >> =

> >> Since its -1, that would be an EPERM. No idea where this is coming from
> >> if you have CAP_AUDIT_WRITE. I use pscap to check that.
> > =

> > Are you in a container of any kind or any non-init USER namespace?  I
> > can't see it being denied otherwise assuming it is only trying to send
> > AUDIT_USER_* class messages.  (This assumes upstream kernel.)
> =

> No, I initially saw this on my laptop and then tested on F23 in kvm.

I tested this on Fedora 22 and did not get a USER_AVC from dbus, but I also =

did not get an error message in syslog. So, I don't know what to make of it=
. =

(And for the record, I have a bz open saying that USER_AVC is the wrong eve=
nt =

type. They are blaming libselinux but I blame them for not using =

AUDIT_USER_MAC_POLICY_LOAD.)

-Steve

> > I guess I have to ask which kernel too, since changes to NET and PID
> > namespaces are somewhat recent and Debian tends on the side of
> > conservative to be stable.
> =

> I'm under debian unstable and the kernel I'm running is 4.2
> =

> >>> I've been to reproduce this on F23 as well.
> >> =

> >> I have not played around with that yet.
> > =

> > What kernel is that?
> =

> 4.2 too apparently.
> =

> Cheers,
> =

> Laurent Bigonville
> =

> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit