On 15/11/03, Steve Grubb wrote: > On Tuesday, November 03, 2015 06:12:07 PM Laurent Bigonville wrote: > > Le 03/11/15 17:28, Steve Grubb a écrit : > > > On Tuesday, November 03, 2015 05:05:55 PM Laurent Bigonville wrote: > > >> Hi, > > >> > > >> With dbus 1.10.2 (on Debian), when I'm running "semodule -B", the system > > >> dbus daemon is complaining with the following message: > > >> > > >> nov 03 15:02:57 soldur dbus[1057]: Can't send to audit system: USER_AVC > > >> avc: received policyload notice (seqno=3) exe="/usr/bin/dbus-daemon" > > >> sauid=102 hostname=? addr=? terminal=? > > >> > > >> This is the system dbus daemon running as "messagebus": > > >> > > >> message+ 1057 0.0 0.0 127756 4524 ? Ssl 10:39 0:11 > > >> /usr/bin/dbus-daemon --system --address=systemd: --nofork --nopidfile > > >> --systemd-activation > > >> > > >> Looking at the capabilities: > > >> > > >> $ sudo getpcaps 1057 > > >> Capabilities for `1057': = cap_audit_write+ep > > >> > > >> All other user_avc seems to be properly logged in audit. > > >> > > >> An idea? > > > > > > I'd patch it to syslog errno and other information to locate the syscall > > > that's failing. Did socket fail? Did the send fail? Does it work in > > > permissive mode? > > > > I'm running in permissive mode. > > > > I'm seeing a netlink open to the audit: > > > > dbus-daem 1057 messagebus 7u netlink 0t0 15248 AUDIT > > > > Apparently audit_send() returns -1 > > Since its -1, that would be an EPERM. No idea where this is coming from if > you > have CAP_AUDIT_WRITE. I use pscap to check that.
Are you in a container of any kind or any non-init USER namespace? I can't see it being denied otherwise assuming it is only trying to send AUDIT_USER_* class messages. (This assumes upstream kernel.) I guess I have to ask which kernel too, since changes to NET and PID namespaces are somewhat recent and Debian tends on the side of conservative to be stable. > > I've been to reproduce this on F23 as well. > > I have not played around with that yet. What kernel is that? > > BTW if I'm trying to compile audit with gcc optimization disabled (-O0) > > I get: > > > > libtool: link: gcc -D_GNU_SOURCE -g -O0 -fstack-protector-strong > > -Wformat -Werror=format-security -Wl,-z -Wl,relro -Wl,--as-needed -o > > .libs/auvirt auvirt.o auvirt-list.o ausearch-time.o -L../../auparse > > /<<PKGBUILDDIR>>/debian/build/auparse/.libs/libauparse.so > > auvirt.o: In function `process_machine_id_event': > > /<<PKGBUILDDIR>>/debian/build/tools/auvirt/../../../../tools/auvirt/auvirt.c > > :484: undefined reference to `copy_str' > > Thanks. I see a similar report with a patch from yoctoproject.org whatever > that is. I don't recall seeing the patch sent here. They list it as a C99 > compiler change in semantics for inline functions. I have fixed this > differently > in the upstream code as commit #1132 Yocto is a framework for developing distributions for embedded devices. > https://fedorahosted.org/audit/changeset/1132 > > Thanks, > -Steve - RGB -- Richard Guy Briggs <[email protected]> Senior Software Engineer, Kernel Security, AMER ENG Base Operating Systems, Red Hat Remote, Ottawa, Canada Voice: +1.647.777.2635, Internal: (81) 32635, Alt: +1.613.693.0684x3545 -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
