From mboxrd@z Thu Jan 1 00:00:00 1970 From: Laurent Bigonville Subject: Re: SELinux policy reload cannot be sent to audit system Date: Tue, 3 Nov 2015 18:12:07 +0100 Message-ID: <5638EAE7.1070506@debian.org> References: <5638DB63.7010204@debian.org> <1758315.3fUBHW9xxQ@x2> Mime-Version: 1.0 Content-Type: text/plain; charset="windows-1252"; Format="flowed" Content-Transfer-Encoding: quoted-printable Return-path: Received: from mx1.redhat.com (ext-mx03.extmail.prod.ext.phx2.redhat.com [10.5.110.27]) by int-mx13.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP id tA3HCEFk003638 (version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256 verify=NO) for ; Tue, 3 Nov 2015 12:12:14 -0500 Received: from anor.bigon.be (anor.bigon.be [91.121.173.99]) by mx1.redhat.com (Postfix) with ESMTPS id 5A5C18FAA2 for ; Tue, 3 Nov 2015 17:12:13 +0000 (UTC) Received: from anor.bigon.be (localhost.localdomain [127.0.0.1]) by anor.bigon.be (Postfix) with ESMTP id 4BD481A1BB for ; Tue, 3 Nov 2015 18:12:11 +0100 (CET) Received: from anor.bigon.be ([127.0.0.1]) by anor.bigon.be (anor.bigon.be [127.0.0.1]) (amavisd-new, port 10026) with ESMTP id uEkXOV2hz-vx for ; Tue, 3 Nov 2015 18:12:08 +0100 (CET) Received: from [10.20.80.62] (unknown [193.53.238.201]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (Client did not present a certificate) (Authenticated sender: bigon) by anor.bigon.be (Postfix) with ESMTPSA id D7EEA1A070 for ; Tue, 3 Nov 2015 18:12:07 +0100 (CET) In-Reply-To: <1758315.3fUBHW9xxQ@x2> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com Le 03/11/15 17:28, Steve Grubb a =E9crit : > On Tuesday, November 03, 2015 05:05:55 PM Laurent Bigonville wrote: >> Hi, >> >> With dbus 1.10.2 (on Debian), when I'm running "semodule -B", the system >> dbus daemon is complaining with the following message: >> >> nov 03 15:02:57 soldur dbus[1057]: Can't send to audit system: USER_AVC >> avc: received policyload notice (seqno=3D3) exe=3D"/usr/bin/dbus-daemon" >> sauid=3D102 hostname=3D? addr=3D? terminal=3D? >> >> This is the system dbus daemon running as "messagebus": >> >> message+ 1057 0.0 0.0 127756 4524 ? Ssl 10:39 0:11 >> /usr/bin/dbus-daemon --system --address=3Dsystemd: --nofork --nopidfile >> --systemd-activation >> >> Looking at the capabilities: >> >> $ sudo getpcaps 1057 >> Capabilities for `1057': =3D cap_audit_write+ep >> >> All other user_avc seems to be properly logged in audit. >> >> An idea? > I'd patch it to syslog errno and other information to locate the syscall > that's failing. Did socket fail? Did the send fail? Does it work in permi= ssive > mode? I'm running in permissive mode. I'm seeing a netlink open to the audit: dbus-daem 1057 messagebus 7u netlink 0t0 15248 AUDIT Apparently audit_send() returns -1 I've been to reproduce this on F23 as well. BTW if I'm trying to compile audit with gcc optimization disabled (-O0) = I get: libtool: link: gcc -D_GNU_SOURCE -g -O0 -fstack-protector-strong = -Wformat -Werror=3Dformat-security -Wl,-z -Wl,relro -Wl,--as-needed -o = .libs/auvirt auvirt.o auvirt-list.o ausearch-time.o -L../../auparse = /<>/debian/build/auparse/.libs/libauparse.so auvirt.o: In function `process_machine_id_event': /<>/debian/build/tools/auvirt/../../../../tools/auvirt/auvirt.= c:484: = undefined reference to `copy_str' Cheers, Laurent Bigonville