Can't send to audit system

John (J5) Palmieri johnp at redhat.com
Mon Oct 24 12:55:02 PDT 2005 

This is a known issue in that code was added to DBus in the latest
update that would send AVC denial messages through libaudit.  The
problem is dbus doesn't run as root so it is not allowed to write to
connect to the audit daemon.  It should not be an issue though I am
wondering what messages are being blocked by SELinux.  That might be a
bug in the SELinux rules.

On Mon, 2005-10-24 at 12:32 -0500, Larry D. Brown wrote:
> I am running RHEL 4 on a Dell Optiplex GX260.  I have Oracle loaded, and
> Websphere and Tuxido.  I have SELinux activated and the firewall in
> place.  I also run scanlogd and keep a tail -f on /var/log/messages to
> detect any intrusions.  Last week our enterprise security department ran
> their usual port scan looking for security vulnerabilities.  They found
> an ftp server on port 2100, which is the server Oracle sets up.  Very
> soon after that scan, according to my message log, I started seeing this
> message:
> 
> Oct 19 17:45:39 bl-uits-negril dbus: Can't send to audit system:
> USER_AVC pid=2494 uid=81 loginuid=-1 message=avc: denied  { send_msg }
> for scontext=user_u:system_r:unconfined_t
> tcontext=user_u:system_r:initrc_t tclass=dbus
> 
> I have rebooted several times, and the message is still coming through.
> I can stop the dbus_daemon, using /etc/init.d/messagebus, and the
> messages stop, but every time I start it up again, the messages are
> filling my log space.
> 
> With dbus_daemon running, I get the following from dbus_monitor:
> 
> Failed to open connection to system message bus:  An SELinux  policy
> prevents this sender from sending this message to this recipient
> (rejected message had interface "org.freedesktop.DBus" member "Hello"
> error name "(unset)" destination "org.freedesktop.DBus")
> 
> How can I stop these messages?  How do I purge the queue that is clearly
> trying to send a message that I don't care about and would prefer not be
> sent.  I have pulled the ethernet cable on the off chance that this
> machine has been compromised, and I am disinclined to plug it back in
> until I can be sure it has not.  Thanks for your help.

-- 
John (J5) Palmieri <johnp at redhat.com>

More information about the dbus mailing list