Issuing the following command: # setenforce 0
Results with log message:
Feb 24 12:04:31 <host> dbus: avc: received setenforce notice (enforcing=0) Feb 24 12:04:31 <host> dbus: Can't send to audit system: USER_AVC avc: received setenforce notice (enforcing=0)#012: exe="?" sauid=81 hostname=? addr=? terminal=?
And yet, selinux messages keep popping up where none should be showing?
On 02/24/2010 09:08 PM, Daniel B. Thurman wrote:
Issuing the following command: # setenforce 0
Results with log message:
Feb 24 12:04:31 <host> dbus: avc: received setenforce notice (enforcing=0) Feb 24 12:04:31 <host> dbus: Can't send to audit system: USER_AVC avc: received setenforce notice (enforcing=0)#012: exe="?" sauid=81 hostname=? addr=? terminal=?
This is a known bug in dbus, but it should not affect anything except that it throws the messages.
And yet, selinux messages keep popping up where none should be showing?
SELinux permissive mode means: allow all access but log would be denials.
What denials are you seeying?
-- selinux mailing list selinux@lists.fedoraproject.org https://admin.fedoraproject.org/mailman/listinfo/selinux
On 02/24/2010 03:12 PM, Dominick Grift wrote:
On 02/24/2010 09:08 PM, Daniel B. Thurman wrote:
Issuing the following command: # setenforce 0
Results with log message:
Feb 24 12:04:31<host> dbus: avc: received setenforce notice (enforcing=0) Feb 24 12:04:31<host> dbus: Can't send to audit system: USER_AVC avc: received setenforce notice (enforcing=0)#012: exe="?" sauid=81 hostname=? addr=? terminal=?
The funny/sad thing is this is not an SELinux avc error although it is reported as such. I have sent a patch for this a couple of times.
This is what is happening. dbus uses SELinux policy and communicates with the SELInux subsystem to query whether something is allowed or not. When policy is reloaded the SELinux system sends a message to all policy enforcers that there has been a policy reload.
Dbus gets the message that it recieved an updated policy and it decides it needs to write the message to the audit subsystem. If dbus is running as root it is allowed and every thing works correctly. If dbus (session_bus) is running as non root, when it tries to send the audit message it is blocked by DAC. (not by SELinux). Then it reports this as an error to the syslog system.
The patch that has been sent to dbus is to understand when it is running as non root that it does not need to send audit messages.
selinux@lists.fedoraproject.org