On 9/18/19 9:35 AM, Ted Toth wrote:
I'm seeing things like tclass=context#012 in some AVCs what is this telling me?
Just a guess here, but octal 012 is '\n' aka a newline character, and libselinux/src/avc.c:avc_audit() appends a "\n" at the end of the buffer before calling avc_log() to log the entire string. avc_log() will call the logging callback, and dbusd does define one, which calls audit_log_user_avc_message(). Maybe audit_log_user_avc_message() is escaping the newline character in its output as well as appending additional data.
I'm a little unclear though on why dbusd is checking a context contains permission?
