On Tue, Nov 3, 2015 at 11:28 AM, Steve Grubb <[email protected]> wrote: > On Tuesday, November 03, 2015 05:05:55 PM Laurent Bigonville wrote: >> Hi, >> >> With dbus 1.10.2 (on Debian), when I'm running "semodule -B", the system >> dbus daemon is complaining with the following message: >> >> nov 03 15:02:57 soldur dbus[1057]: Can't send to audit system: USER_AVC >> avc: received policyload notice (seqno=3) exe="/usr/bin/dbus-daemon" >> sauid=102 hostname=? addr=? terminal=? >> >> This is the system dbus daemon running as "messagebus": >> >> message+ 1057 0.0 0.0 127756 4524 ? Ssl 10:39 0:11 >> /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile >> --systemd-activation >> >> Looking at the capabilities: >> >> $ sudo getpcaps 1057 >> Capabilities for `1057': = cap_audit_write+ep >> >> All other user_avc seems to be properly logged in audit. >> >> An idea? > > I'd patch it to syslog errno and other information to locate the syscall > that's failing. Did socket fail? Did the send fail? Does it work in permissive > mode?
I would also verify that your loaded SELinux policy is not blocking the CAP_AUDIT_WRITE capability or the netlink_audit_socket:nlmsg_relay permission. -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
