Setnenforce prevented?
Daniel J Walsh
dwalsh at redhat.com
Wed Feb 24 20:30:33 UTC 2010
On 02/24/2010 03:12 PM, Dominick Grift wrote:
> On 02/24/2010 09:08 PM, Daniel B. Thurman wrote:
>
>> Issuing the following command:
>> # setenforce 0
>>
>> Results with log message:
>>
>> Feb 24 12:04:31<host> dbus: avc: received setenforce notice (enforcing=0)
>> Feb 24 12:04:31<host> dbus: Can't send to audit system: USER_AVC avc:
>> received setenforce notice (enforcing=0)#012: exe="?" sauid=81
>> hostname=? addr=? terminal=?
>>
>
The funny/sad thing is this is not an SELinux avc error although it is
reported as such. I have sent a patch for this a couple of times.
This is what is happening. dbus uses SELinux policy and communicates
with the SELInux subsystem to query whether something is allowed or
not. When policy is reloaded the SELinux system sends a message to all
policy enforcers that there has been a policy reload.
Dbus gets the message that it recieved an updated policy and it decides
it needs to write the message to the audit subsystem. If dbus is
running as root it is allowed and every thing works correctly. If dbus
(session_bus) is running as non root, when it tries to send the audit
message it is blocked by DAC. (not by SELinux). Then it reports this
as an error to the syslog system.
The patch that has been sent to dbus is to understand when it is running
as non root that it does not need to send audit messages.
More information about the selinux
mailing list