Steve Grubb:
> The problem is that if you don't have auditing enabled and later in the
> syscall have an AVC, the data you need may be gone. The AVC has the device and
> inode,
This I don't understand. The raw audit records WERE included in the
message. (I repeat them below.) But they don't include any inode.
> Does setroubleshoot give instruction
> how to use the inode and device with the find command?
No, but I would know how to do it. If I had any device/inode to
search for.
Raw Audit Messages
node=freddi type=AVC msg=audit(1263843455.583:203): avc: denied { dac_override } for pid=6050 comm="plymouthd" capability=1 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=capability
node=freddi type=SYSCALL msg=audit(1263843455.583:203): arch=c000003e syscall=2 success=no exit=-19 a0=d13a60 a1=2 a2=0 a3=7fff3cad2310 items=0 ppid=1 pid=6050 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="plymouthd" exe="/sbin/plymouthd" subj=system_u:system_r:plymouthd_t:s0 key=(null)
--
selinux mailing list
selinux@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/selinux
