Description of problem: I spoke with Steve Grubb about the below message. dbus: Can't send to audit system: USER_AVC avc: received setenforce notice (enforcing=0) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?) Version-Release number of selected component (if applicable): RHEL5.2-Sanpshot.2 How reproducible: Always Steps to Reproduce: 1. Install RHEL5.2-Sanpshot.2 2. Install the /CoreOS/super-smack, make run Actual results: dbus: Can't send to audit system: USER_AVC avc: received setenforce notice (enforcing=0) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?) Expected results: Additional info: Seriously, this happens over and over and over. Its like they never use SE Linux or look at audit logs. * Fri Sep 14 2007 Dan Walsh <dwalsh> - 1.1.2-5.fc8 - Reverse we_were_root check to setpcap if we were root. Also only init audit if we were root. So error dbus message will not show up when policy reload happens. dbus -session will no longer try to send audit message, only system will. * Wed Sep 06 2006 Dan Walsh <dwalsh> - 0.92-2 - Only audit on the system bus * Mon Apr 17 2006 John (J5) Palmieri <johnp> 0.61-4 - New audit patch I don't know what bz is associated with these, but I would think the dbus maintainers would know which patch they used to apply. This is a regression.
David, Do you have enough information to continue? I spoke with Steve Grubb on this issue. He had told me that this issue was fixed and it is now back again. Jeff
> Do you have enough information to continue? I spoke with Steve Grubb on this > issue. He had told me that this issue was fixed and it is now back again. Maybe Steve assumed it was fixed in Fedora but not in RHEL? Looking through the changelog the last change related to audit/SELinux was in the fall 2006. So I don't think the fix was removed. Either way, I assume it's about applying a patch to D-Bus. Steve, is it possible you can elaborate exactly what patch is needed?
David, Dan added a patch in 1.1.2-5.fc8 to not attempt logging policy reloads if its the user's session bus since it does not have the necessary capabilities. Only the system bus should log audit messages.
A clarification, Dan's patch should have taken care of any AVC and not just policy reloads - which is the most common.
Yeah, that's what I remember. Just to be 100% clear, we're talking about this patch right? http://cvs.fedoraproject.org/viewcvs/rpms/dbus/F-8/dbus-1.1.2-audit-user.patch?rev=1.1&view=auto Thanks.
Yes, but that patch depends on a little supporting code, too. The we_were_root variable is not in 1.0. I think if you add the code involving it, you have the complete fix.
(In reply to comment #8) > Yes, but that patch depends on a little supporting code, too. The we_were_root > variable is not in 1.0. I think if you add the code involving it, you have the > complete fix. Is it possible you or someone with a detailed understanding of this can provide a patch that will apply and will work? I'm a bit scared that I will get it wrong, I'm not well-versed in this area of the dbus code.
Created attachment 302331 [details] session patch to send syslog message instead of audit message
I believe this is a far more critical error then first reported. I am now seeing that dbus can not send audit logs even from the system bus, which could potentially break CAPP requirements. dbus is dropping privs to CAP_AUDITWRITE but the kernel seems to be blocking the audit messages.
Thanks for the patch. I'm adding the devack flag and will build new packages once all the ACK's are in place.
*** Bug 280561 has been marked as a duplicate of this bug. ***
Created attachment 302512 [details] Fixed patch This patch corrects both the userspace sending messages to /var/log/messages instead of audit and allows system space to send audit messages
This patch is now in dbus-1.0.0-7.el5 http://brewweb.devel.redhat.com/brew/taskinfo?taskID=1272598 Thanks.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2008-0458.html