On Wed, Sep 18, 2019 at 9:03 AM Ted Toth <txtoth@xxxxxxxxx> wrote: > > On Wed, Sep 18, 2019 at 8:53 AM Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > > > > On 9/18/19 9:35 AM, Ted Toth wrote: > > > I'm seeing things like tclass=context#012 in some AVCs what is this telling me? > > > > Just a guess here, but octal 012 is '\n' aka a newline character, and > > libselinux/src/avc.c:avc_audit() appends a "\n" at the end of the buffer > > before calling avc_log() to log the entire string. avc_log() will call > > the logging callback, and dbusd does define one, which calls > > audit_log_user_avc_message(). Maybe audit_log_user_avc_message() is > > escaping the newline character in its output as well as appending > > additional data. > > > > I'm a little unclear though on why dbusd is checking a context contains > > permission? > > These appear to only occur when systemd is starting the dbus daemon > and they end up in /var/log/messages not /var/log/audit/audit.log as > I'd expect. Maybe audit isn't up yet.
