Re: audit-viewer "comm" question
On Monday 04 August 2008 19:01:43 LC Bruzenak wrote:
> type=USER_AVC msg=audit(08/04/2008 16:04:24.152:126492) : user
pid=23501
> uid=root auid=unset subj=system_u:system_r:xdm_xserver_t:s0-s15:c0.c1023
> msg='avc: denied { receive } for comm=(null) event=X11:PropertyNotify
> scontext=user_u:user_r:user_t:s0-s15:c0.c1023
> tcontext=user_u:object_r:property_xevent_t:s4:c0,c2,c11,c200.c511
> tclass=x_event : exe=/usr/bin/Xorg (sauid=root hostname=?, addr=?,
> terminal=?)'
I guess the question here is not why there is > 16 chars (since this is
a USER_AVC not kernel-generated event - right?)
Yep.
but rather why the GUI shows the comm but the ausearch doesn't.
I think I tried to work around the problem the SE Linux folks are creating and
then decided they need to fix the code since I am now violating the audit
standard by allowing for the mis-use of field encoding. They should probably
both show (null) until this gets fixing in libselinux.
-Steve