Bug 439810 - [RHEL5 U2] dbus: Can't send to audit system: USER_AVC avc:
[RHEL5 U2] dbus: Can't send to audit system: USER_AVC avc:
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: dbus (Show other bugs)
5.2
All Linux
low Severity high
: rc
: ---
Assigned To: David Zeuthen
desktop-bugs@redhat.com
http://rhts.redhat.com/testlogs/18719...
: Regression
: 280561 (view as bug list)
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2008-03-31 11:20 EDT by Jeff Burke
Modified: 2013-03-05 22:55 EST (History)
4 users (show)

See Also:
Fixed In Version: RHBA-2008-0458
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2008-05-21 12:44:30 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
session patch to send syslog message instead of audit message (2.96 KB, patch)
2008-04-14 08:50 EDT, Daniel Walsh
no flags Details | Diff
Fixed patch (2.81 KB, patch)
2008-04-15 15:43 EDT, Daniel Walsh
no flags Details | Diff

  None (edit)
Description Jeff Burke 2008-03-31 11:20:17 EDT
Description of problem:
 I spoke with Steve Grubb about the below message.

dbus: Can't send to audit system: USER_AVC avc:  received setenforce notice
(enforcing=0) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)


Version-Release number of selected component (if applicable):
RHEL5.2-Sanpshot.2

How reproducible:
Always

Steps to Reproduce:
1. Install RHEL5.2-Sanpshot.2
2. Install the /CoreOS/super-smack, make run
  
Actual results:
dbus: Can't send to audit system: USER_AVC avc:  received setenforce notice
(enforcing=0) : exe="?" (sauid=81, hostname=?, addr=?, terminal=?)

Expected results:


Additional info:
Seriously, this happens over and over and over. Its like they never use SE 
Linux or look at audit logs.


* Fri Sep 14 2007 Dan Walsh <dwalsh@redhat.com> - 1.1.2-5.fc8
- Reverse we_were_root check to setpcap if we were root.  Also only init
audit if we were root.  So error dbus message will not show up when policy 
reload happens.  dbus -session will no longer try to send audit message, 
only system will.

* Wed Sep 06 2006 Dan Walsh <dwalsh@redhat.com> - 0.92-2
- Only audit on the system bus

* Mon Apr 17 2006 John (J5) Palmieri <johnp@redhat.com> 0.61-4
- New audit patch

I don't know what bz is associated with these, but I would think the dbus 
maintainers would know which patch they used to apply. This is a regression.
Comment 3 Jeff Burke 2008-04-03 10:51:54 EDT
David,
  Do you have enough information to continue? I spoke with Steve Grubb on this
issue. He had told me that this issue was fixed and it is now back again.

Jeff
Comment 4 David Zeuthen 2008-04-03 11:47:34 EDT
> Do you have enough information to continue? I spoke with Steve Grubb on this
> issue. He had told me that this issue was fixed and it is now back again.

Maybe Steve assumed it was fixed in Fedora but not in RHEL? Looking through the
changelog the last change related to audit/SELinux was in the fall 2006. So I
don't think the fix was removed. 

Either way, I assume it's about applying a patch to D-Bus. Steve, is it possible
you can elaborate exactly what patch is needed?
Comment 5 Steve Grubb 2008-04-03 12:00:31 EDT
David, Dan added a patch in 1.1.2-5.fc8 to not attempt logging policy reloads if
its the user's session bus since it does not have the necessary capabilities.
Only the system bus should log audit messages.
Comment 6 Steve Grubb 2008-04-03 12:02:12 EDT
A clarification, Dan's patch should have taken care of any AVC and not just
policy reloads - which is the most common.
Comment 7 David Zeuthen 2008-04-03 12:10:01 EDT
Yeah, that's what I remember. Just to be 100% clear, we're talking about this
patch right?

http://cvs.fedoraproject.org/viewcvs/rpms/dbus/F-8/dbus-1.1.2-audit-user.patch?rev=1.1&view=auto

Thanks.
Comment 8 Steve Grubb 2008-04-03 12:27:08 EDT
Yes, but that patch depends on a little supporting code, too. The we_were_root
variable is not in 1.0. I think if you add the code involving it, you have the
complete fix.
Comment 9 David Zeuthen 2008-04-09 14:31:52 EDT
(In reply to comment #8)
> Yes, but that patch depends on a little supporting code, too. The we_were_root
> variable is not in 1.0. I think if you add the code involving it, you have the
> complete fix.

Is it possible you or someone with a detailed understanding of this can provide
a patch that will apply and will work? I'm a bit scared that I will get it
wrong, I'm not well-versed in this area of the dbus code.
Comment 10 Daniel Walsh 2008-04-14 08:50:20 EDT
Created attachment 302331 [details]
session patch to send syslog message instead of audit message
Comment 11 Daniel Walsh 2008-04-15 10:09:38 EDT
I believe this is a far more critical error then first reported.  I am now
seeing that dbus can not send audit logs even from the system bus, which could
potentially break CAPP requirements.  dbus is dropping privs to CAP_AUDITWRITE
but the kernel seems to be blocking the audit messages.
Comment 13 David Zeuthen 2008-04-15 12:37:46 EDT
Thanks for the patch. I'm adding the devack flag and will build new packages
once all the ACK's are in place.
Comment 16 Daniel Walsh 2008-04-15 15:39:58 EDT
*** Bug 280561 has been marked as a duplicate of this bug. ***
Comment 17 Daniel Walsh 2008-04-15 15:43:03 EDT
Created attachment 302512 [details]
Fixed patch

This patch corrects both the userspace sending messages to /var/log/messages
instead of audit and allows system space to send audit messages
Comment 18 David Zeuthen 2008-04-15 16:01:15 EDT
This patch is now in dbus-1.0.0-7.el5

http://brewweb.devel.redhat.com/brew/taskinfo?taskID=1272598

Thanks.
Comment 22 errata-xmlrpc 2008-05-21 12:44:30 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2008-0458.html

Note You need to log in before you can comment on or make changes to this bug.