Le 05/11/15 04:23, Steve Grubb a écrit :
On Tuesday, November 03, 2015 09:48:31 PM Laurent Bigonville wrote:
Le 03/11/15 21:08, Richard Guy Briggs a écrit :
On 15/11/03, Steve Grubb wrote:
On Tuesday, November 03, 2015 06:12:07 PM Laurent Bigonville wrote:
I'm running in permissive mode.
I'm seeing a netlink open to the audit:
dbus-daem 1057 messagebus 7u netlink 0t0 15248 AUDIT
Apparently audit_send() returns -1
Since its -1, that would be an EPERM. No idea where this is coming from
if you have CAP_AUDIT_WRITE. I use pscap to check that.
Are you in a container of any kind or any non-init USER namespace? I
can't see it being denied otherwise assuming it is only trying to send
AUDIT_USER_* class messages. (This assumes upstream kernel.)
No, I initially saw this on my laptop and then tested on F23 in kvm.
I tested this on Fedora 22 and did not get a USER_AVC from dbus, but I also
did not get an error message in syslog. So, I don't know what to make of it.
(And for the record, I have a bz open saying that USER_AVC is the wrong event
type. They are blaming libselinux but I blame them for not using
AUDIT_USER_MAC_POLICY_LOAD.)
The audit code in dbus has been refactored a bit in the version present
F23 and debian unstable, so it might be related to this that.
Do you still have the number of that bz bug?
Cheers,
Laurent Bigonville
--
Linux-audit mailing list
Linux-audit@redhat.com
https://www.redhat.com/mailman/listinfo/linux-audit
