Thanks guys, it looks like you found the root cause. It was on my todo list to play with this on Rawhide but I wanted to get through Richard's patches first.
On Thu, Nov 5, 2015 at 6:19 PM, Laurent Bigonville <[email protected]> wrote: > Le 06/11/15 00:03, Steve Grubb a écrit : > >> On Thursday, November 05, 2015 09:32:09 AM Laurent Bigonville wrote: >>> >>> Le 05/11/15 04:23, Steve Grubb a écrit : >>>> >>>> On Tuesday, November 03, 2015 09:48:31 PM Laurent Bigonville wrote: >>>>> >>>>> Le 03/11/15 21:08, Richard Guy Briggs a écrit : >>>>>> >>>>>> On 15/11/03, Steve Grubb wrote: >>>>>>> >>>>>>> On Tuesday, November 03, 2015 06:12:07 PM Laurent Bigonville wrote: >>>>>>>> >>>>>>>> I'm running in permissive mode. >>>>>>>> >>>>>>>> I'm seeing a netlink open to the audit: >>>>>>>> >>>>>>>> dbus-daem 1057 messagebus 7u netlink 0t0 15248 AUDIT >>>>>>>> >>>>>>>> Apparently audit_send() returns -1 >>>>>>> >>>>>>> Since its -1, that would be an EPERM. No idea where this is coming >>>>>>> from >>>>>>> if you have CAP_AUDIT_WRITE. I use pscap to check that. >>>>>> >>>>>> Are you in a container of any kind or any non-init USER namespace? I >>>>>> can't see it being denied otherwise assuming it is only trying to send >>>>>> AUDIT_USER_* class messages. (This assumes upstream kernel.) >>>>> >>>>> No, I initially saw this on my laptop and then tested on F23 in kvm. >>>> >>>> I tested this on Fedora 22 and did not get a USER_AVC from dbus, but I >>>> also >>>> did not get an error message in syslog. So, I don't know what to make of >>>> it. (And for the record, I have a bz open saying that USER_AVC is the >>>> wrong event type. They are blaming libselinux but I blame them for not >>>> using >>>> AUDIT_USER_MAC_POLICY_LOAD.) >>> >>> The audit code in dbus has been refactored a bit in the version present >>> F23 and debian unstable, so it might be related to this that. >> >> >> I filed a bz to get this fixed: >> https://bugzilla.redhat.com/show_bug.cgi?id=1278602 >> >> The root cause is listed in the bug. Dbus has 2 threads, one with >> CAP_AUDIT_WRITE and one without. The one without is the one trying to send >> the >> event. > > Thanks, > > I've opened a bug upstream too: > https://bugs.freedesktop.org/show_bug.cgi?id=92832 > > > -- > Linux-audit mailing list > [email protected] > https://www.redhat.com/mailman/listinfo/linux-audit -- paul moore www.paul-moore.com -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
