On Wed, Aug 26, 2020 at 09:25:18AM -0400, Chris PeBenito wrote: > I was looking into this dbus-broker audit message, which has the wrong audit type: > > audit[422]: USER_AVC pid=422 uid=999 auid=4294967295 ses=4294967295 > subj=system_u:system_r:system_dbusd_t msg='avc: received policyload notice > (seqno=2) > > This is due to dbus-broker setting their avc log callback to send USER_AVC > audit messages for everything that comes to the libselinux log callback. I > think the right thing to do there is to change it to emit USER_SELINUX_ERR > audit messages if the log message is SELINUX_ERROR, otherwise log the > message using their regular method (stderr I think). Similar problem existed in systemd. It was fixed by the following commit https://github.com/systemd/systemd/commit/6227fc14c48c4c17daed4b91f61cdd4aa375790a which lets systemd log callback to ignore everything but SELINUX_AVC and SELINUX_ERR I believe this is the same problem which should be fixed in dbus and dbus-broker > But the question became, why is the userspace AVC not simply emitting its > own USER_MAC_POLICY_LOAD audit message instead of sending a message to the > log callback? > > -- > Chris PeBenito >
Attachment:
signature.asc
Description: PGP signature
