On Thursday, November 05, 2015 09:32:09 AM Laurent Bigonville wrote: > Le 05/11/15 04:23, Steve Grubb a écrit : > > On Tuesday, November 03, 2015 09:48:31 PM Laurent Bigonville wrote: > >> Le 03/11/15 21:08, Richard Guy Briggs a écrit : > >>> On 15/11/03, Steve Grubb wrote: > >>>> On Tuesday, November 03, 2015 06:12:07 PM Laurent Bigonville wrote: > >>>>> I'm running in permissive mode. > >>>>> > >>>>> I'm seeing a netlink open to the audit: > >>>>> > >>>>> dbus-daem 1057 messagebus 7u netlink 0t0 15248 AUDIT > >>>>> > >>>>> Apparently audit_send() returns -1 > >>>> > >>>> Since its -1, that would be an EPERM. No idea where this is coming from > >>>> if you have CAP_AUDIT_WRITE. I use pscap to check that. > >>> > >>> Are you in a container of any kind or any non-init USER namespace? I > >>> can't see it being denied otherwise assuming it is only trying to send > >>> AUDIT_USER_* class messages. (This assumes upstream kernel.) > >> > >> No, I initially saw this on my laptop and then tested on F23 in kvm. > > > > I tested this on Fedora 22 and did not get a USER_AVC from dbus, but I > > also > > did not get an error message in syslog. So, I don't know what to make of > > it. (And for the record, I have a bz open saying that USER_AVC is the > > wrong event type. They are blaming libselinux but I blame them for not > > using > > AUDIT_USER_MAC_POLICY_LOAD.) > > The audit code in dbus has been refactored a bit in the version present > F23 and debian unstable, so it might be related to this that.
I filed a bz to get this fixed: https://bugzilla.redhat.com/show_bug.cgi?id=1278602 The root cause is listed in the bug. Dbus has 2 threads, one with CAP_AUDIT_WRITE and one without. The one without is the one trying to send the event. -Steve -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
