On Wed, Aug 26, 2020 at 9:26 AM Chris PeBenito <chpebeni@xxxxxxxxxxxxxxxxxxx> wrote: > > I was looking into this dbus-broker audit message, which has the wrong audit type: > > audit[422]: USER_AVC pid=422 uid=999 auid=4294967295 ses=4294967295 > subj=system_u:system_r:system_dbusd_t msg='avc: received policyload notice > (seqno=2) > > This is due to dbus-broker setting their avc log callback to send USER_AVC audit > messages for everything that comes to the libselinux log callback. I think the > right thing to do there is to change it to emit USER_SELINUX_ERR audit messages > if the log message is SELINUX_ERROR, otherwise log the message using their > regular method (stderr I think). > > But the question became, why is the userspace AVC not simply emitting its own > USER_MAC_POLICY_LOAD audit message instead of sending a message to the log callback? IIRC, the original userspace AVC support predates audit and the intent was for the application to deal with dispatching messages as desired from its callback, whether via libaudit or via syslog or whatever. Not opposed to revisiting that but it would require some care, e.g. not sure you'd want both libselinux and the application calling audit_open().
