audit-viewer "comm" question
Steve Grubb
sgrubb at redhat.com
Mon Aug 4 23:15:40 UTC 2008
On Monday 04 August 2008 19:01:43 LC Bruzenak wrote:
> > type=USER_AVC msg=audit(08/04/2008 16:04:24.152:126492) : user pid=23501
> > uid=root auid=unset subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023
> > msg='avc: denied { receive } for comm=(null) event=X11:PropertyNotify
> > scontext=user_u:user_r:user_t:s0-s15:c0.c1023
> > tcontext=user_u:object_r:property_xevent_t:s4:c0,c2,c11,c200.c511
> > tclass=x_event : exe=/usr/bin/Xorg (sauid=root hostname=?, addr=?,
> > terminal=?)'
>
> I guess the question here is not why there is > 16 chars (since this is
> a USER_AVC not kernel-generated event - right?)
Yep.
> but rather why the GUI shows the comm but the ausearch doesn't.
I think I tried to work around the problem the SE Linux folks are creating and
then decided they need to fix the code since I am now violating the audit
standard by allowing for the mis-use of field encoding. They should probably
both show (null) until this gets fixing in libselinux.
-Steve
More information about the Linux-audit
mailing list