On Tuesday, November 03, 2015 06:12:07 PM Laurent Bigonville wrote: > Le 03/11/15 17:28, Steve Grubb a écrit : > > On Tuesday, November 03, 2015 05:05:55 PM Laurent Bigonville wrote: > >> Hi, > >> > >> With dbus 1.10.2 (on Debian), when I'm running "semodule -B", the system > >> dbus daemon is complaining with the following message: > >> > >> nov 03 15:02:57 soldur dbus[1057]: Can't send to audit system: USER_AVC > >> avc: received policyload notice (seqno=3) exe="/usr/bin/dbus-daemon" > >> sauid=102 hostname=? addr=? terminal=? > >> > >> This is the system dbus daemon running as "messagebus": > >> > >> message+ 1057 0.0 0.0 127756 4524 ? Ssl 10:39 0:11 > >> /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile > >> --systemd-activation > >> > >> Looking at the capabilities: > >> > >> $ sudo getpcaps 1057 > >> Capabilities for `1057': = cap_audit_write+ep > >> > >> All other user_avc seems to be properly logged in audit. > >> > >> An idea? > > > > I'd patch it to syslog errno and other information to locate the syscall > > that's failing. Did socket fail? Did the send fail? Does it work in > > permissive mode? > > I'm running in permissive mode. > > I'm seeing a netlink open to the audit: > > dbus-daem 1057 messagebus 7u netlink 0t0 15248 AUDIT > > Apparently audit_send() returns -1
Since its -1, that would be an EPERM. No idea where this is coming from if you have CAP_AUDIT_WRITE. I use pscap to check that. > I've been to reproduce this on F23 as well. I have not played around with that yet. > BTW if I'm trying to compile audit with gcc optimization disabled (-O0) > I get: > > libtool: link: gcc -D_GNU_SOURCE -g -O0 -fstack-protector-strong > -Wformat -Werror=format-security -Wl,-z -Wl,relro -Wl,--as-needed -o > .libs/auvirt auvirt.o auvirt-list.o ausearch-time.o -L../../auparse > /<<PKGBUILDDIR>>/debian/build/auparse/.libs/libauparse.so > auvirt.o: In function `process_machine_id_event': > /<<PKGBUILDDIR>>/debian/build/tools/auvirt/../../../../tools/auvirt/auvirt.c > :484: undefined reference to `copy_str' Thanks. I see a similar report with a patch from yoctoproject.org whatever that is. I don't recall seeing the patch sent here. They list it as a C99 compiler change in semantics for inline functions. I have fixed this differently in the upstream code as commit #1132 https://fedorahosted.org/audit/changeset/1132 Thanks, -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
