|Summary:||[RHEL5 U2] dbus: Can't send to audit system: USER_AVC avc:|
|Product:||Red Hat Enterprise Linux 5||Reporter:||Jeff Burke <jburke>|
|Component:||dbus||Assignee:||David Zeuthen <davidz>|
|Status:||CLOSED ERRATA||QA Contact:||desktop-bugs <desktop-bugs>|
|Version:||5.2||CC:||eparis, mclasen, mpoole, sgrubb|
|Fixed In Version:||RHBA-2008-0458||Doc Type:||Bug Fix|
|Doc Text:||Story Points:||---|
|Last Closed:||2008-05-21 16:44:30 UTC||Type:||---|
|oVirt Team:||---||RHEL 7.3 requirements from Atomic Host:|
Description Jeff Burke 2008-03-31 15:20:17 UTC
Description of problem: I spoke with Steve Grubb about the below message. dbus: Can't send to audit system: USER_AVC avc: received setenforce notice (enforcing=0) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?) Version-Release number of selected component (if applicable): RHEL5.2-Sanpshot.2 How reproducible: Always Steps to Reproduce: 1. Install RHEL5.2-Sanpshot.2 2. Install the /CoreOS/super-smack, make run Actual results: dbus: Can't send to audit system: USER_AVC avc: received setenforce notice (enforcing=0) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?) Expected results: Additional info: Seriously, this happens over and over and over. Its like they never use SE Linux or look at audit logs. * Fri Sep 14 2007 Dan Walsh <firstname.lastname@example.org> - 1.1.2-5.fc8 - Reverse we_were_root check to setpcap if we were root. Also only init audit if we were root. So error dbus message will not show up when policy reload happens. dbus -session will no longer try to send audit message, only system will. * Wed Sep 06 2006 Dan Walsh <email@example.com> - 0.92-2 - Only audit on the system bus * Mon Apr 17 2006 John (J5) Palmieri <firstname.lastname@example.org> 0.61-4 - New audit patch I don't know what bz is associated with these, but I would think the dbus maintainers would know which patch they used to apply. This is a regression.
Comment 3 Jeff Burke 2008-04-03 14:51:54 UTC
David, Do you have enough information to continue? I spoke with Steve Grubb on this issue. He had told me that this issue was fixed and it is now back again. Jeff
Comment 4 David Zeuthen 2008-04-03 15:47:34 UTC
> Do you have enough information to continue? I spoke with Steve Grubb on this > issue. He had told me that this issue was fixed and it is now back again. Maybe Steve assumed it was fixed in Fedora but not in RHEL? Looking through the changelog the last change related to audit/SELinux was in the fall 2006. So I don't think the fix was removed. Either way, I assume it's about applying a patch to D-Bus. Steve, is it possible you can elaborate exactly what patch is needed?
Comment 5 Steve Grubb 2008-04-03 16:00:31 UTC
David, Dan added a patch in 1.1.2-5.fc8 to not attempt logging policy reloads if its the user's session bus since it does not have the necessary capabilities. Only the system bus should log audit messages.
Comment 6 Steve Grubb 2008-04-03 16:02:12 UTC
A clarification, Dan's patch should have taken care of any AVC and not just policy reloads - which is the most common.
Comment 7 David Zeuthen 2008-04-03 16:10:01 UTC
Yeah, that's what I remember. Just to be 100% clear, we're talking about this patch right? http://cvs.fedoraproject.org/viewcvs/rpms/dbus/F-8/dbus-1.1.2-audit-user.patch?rev=1.1&view=auto Thanks.
Comment 8 Steve Grubb 2008-04-03 16:27:08 UTC
Yes, but that patch depends on a little supporting code, too. The we_were_root variable is not in 1.0. I think if you add the code involving it, you have the complete fix.
Comment 9 David Zeuthen 2008-04-09 18:31:52 UTC
(In reply to comment #8) > Yes, but that patch depends on a little supporting code, too. The we_were_root > variable is not in 1.0. I think if you add the code involving it, you have the > complete fix. Is it possible you or someone with a detailed understanding of this can provide a patch that will apply and will work? I'm a bit scared that I will get it wrong, I'm not well-versed in this area of the dbus code.
Comment 10 Daniel Walsh 2008-04-14 12:50:20 UTC
Created attachment 302331 [details] session patch to send syslog message instead of audit message
Comment 11 Daniel Walsh 2008-04-15 14:09:38 UTC
I believe this is a far more critical error then first reported. I am now seeing that dbus can not send audit logs even from the system bus, which could potentially break CAPP requirements. dbus is dropping privs to CAP_AUDITWRITE but the kernel seems to be blocking the audit messages.
Comment 13 David Zeuthen 2008-04-15 16:37:46 UTC
Thanks for the patch. I'm adding the devack flag and will build new packages once all the ACK's are in place.
Comment 16 Daniel Walsh 2008-04-15 19:39:58 UTC
*** Bug 280561 has been marked as a duplicate of this bug. ***
Comment 17 Daniel Walsh 2008-04-15 19:43:03 UTC
Created attachment 302512 [details] Fixed patch This patch corrects both the userspace sending messages to /var/log/messages instead of audit and allows system space to send audit messages
Comment 18 David Zeuthen 2008-04-15 20:01:15 UTC
This patch is now in dbus-1.0.0-7.el5 http://brewweb.devel.redhat.com/brew/taskinfo?taskID=1272598 Thanks.
Comment 22 errata-xmlrpc 2008-05-21 16:44:30 UTC
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0458.html