On 02/24/2010 03:12 PM, Dominick Grift wrote: > On 02/24/2010 09:08 PM, Daniel B. Thurman wrote: > >> Issuing the following command: >> # setenforce 0 >> >> Results with log message: >> >> Feb 24 12:04:31<host> dbus: avc: received setenforce notice (enforcing=0) >> Feb 24 12:04:31<host> dbus: Can't send to audit system: USER_AVC avc: >> received setenforce notice (enforcing=0)#012: exe="?" sauid=81 >> hostname=? addr=? terminal=? >> > The funny/sad thing is this is not an SELinux avc error although it is reported as such. I have sent a patch for this a couple of times. This is what is happening. dbus uses SELinux policy and communicates with the SELInux subsystem to query whether something is allowed or not. When policy is reloaded the SELinux system sends a message to all policy enforcers that there has been a policy reload. Dbus gets the message that it recieved an updated policy and it decides it needs to write the message to the audit subsystem. If dbus is running as root it is allowed and every thing works correctly. If dbus (session_bus) is running as non root, when it tries to send the audit message it is blocked by DAC. (not by SELinux). Then it reports this as an error to the syslog system. The patch that has been sent to dbus is to understand when it is running as non root that it does not need to send audit messages. -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
