Can't send to audit system
Larry D. Brown
brownld at indiana.edu
Mon Oct 24 10:32:34 PDT 2005
I am running RHEL 4 on a Dell Optiplex GX260. I have Oracle loaded, and
Websphere and Tuxido. I have SELinux activated and the firewall in
place. I also run scanlogd and keep a tail -f on /var/log/messages to
detect any intrusions. Last week our enterprise security department ran
their usual port scan looking for security vulnerabilities. They found
an ftp server on port 2100, which is the server Oracle sets up. Very
soon after that scan, according to my message log, I started seeing this
message:
Oct 19 17:45:39 bl-uits-negril dbus: Can't send to audit system:
USER_AVC pid=2494 uid=81 loginuid=-1 message=avc: denied { send_msg }
for scontext=user_u:system_r:unconfined_t
tcontext=user_u:system_r:initrc_t tclass=dbus
I have rebooted several times, and the message is still coming through.
I can stop the dbus_daemon, using /etc/init.d/messagebus, and the
messages stop, but every time I start it up again, the messages are
filling my log space.
With dbus_daemon running, I get the following from dbus_monitor:
Failed to open connection to system message bus: An SELinux policy
prevents this sender from sending this message to this recipient
(rejected message had interface "org.freedesktop.DBus" member "Hello"
error name "(unset)" destination "org.freedesktop.DBus")
How can I stop these messages? How do I purge the queue that is clearly
trying to send a message that I don't care about and would prefer not be
sent. I have pulled the ethernet cable on the off chance that this
machine has been compromised, and I am disinclined to plug it back in
until I can be sure it has not. Thanks for your help.
--
Larry D. Brown <brownld at indiana.edu>
Indiana University
More information about the dbus
mailing list