Some XACE avc denials end up in /var/log/messages as opposed to /var/log/audit/audit.log. These particular XACE avc denials appear with a malformed tclass field:
Example:
Sep 10 17:50:31 notebook3 Xephyr: Can't send to audit system: USER_AVC avc: denied { get_property } for request=X11:GetProperty comm=/usr/bin/xterm resid=102 restype=WINDOW scontext=dgrift_u:dgrift_r:sandbox_x_client_t:s0:c29,c36 tcontext=dgrift_u:object_r:sandbox_xserver_t:s0:c29,c36 tclass=x_drawable#012: exe="/usr/bin/Xephyr" sauid=0 hostname=? addr=? terminal=?
note the: tclass=x_drawable#012:
I believe this may be the reason why these avc denials end up in /var/log/messages instead of /var/log/audit/audit.log , but i am not sure.
Attachment:
pgp8lAlbJsNfG.pgp
Description: PGP signature
