From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: audit-viewer "comm" question Date: Mon, 4 Aug 2008 19:15:40 -0400 Message-ID: <200808041915.40752.sgrubb@redhat.com> References: <1217890182.30693.417.camel@homeserver> <1217890903.30693.423.camel@homeserver> Mime-Version: 1.0 Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Return-path: In-Reply-To: <1217890903.30693.423.camel@homeserver> Content-Disposition: inline List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Monday 04 August 2008 19:01:43 LC Bruzenak wrote: > > type=3DUSER_AVC msg=3Daudit(08/04/2008 16:04:24.152:126492) : user pi= d=3D23501 > > uid=3Droot auid=3Dunset subj=3Dsystem_u:system_r:xdm_xserver_t:s0-s15= :c0.c1023 > > msg=3D'avc: =C2=A0denied =C2=A0{ receive } for =C2=A0comm=3D(null) ev= ent=3DX11:PropertyNotify > > scontext=3Duser_u:user_r:user_t:s0-s15:c0.c1023 > > tcontext=3Duser_u:object_r:property_xevent_t:s4:c0,c2,c11,c200.c511 > > tclass=3Dx_event : exe=3D/usr/bin/Xorg (sauid=3Droot =C2=A0hostname=3D= ?, addr=3D?, > > terminal=3D?)' > > I guess the question here is not why there is > 16 chars (since this is > a USER_AVC not kernel-generated event - right?) Yep. > but rather why the GUI shows the comm but the ausearch doesn't. I think I tried to work around the problem the SE Linux folks are creatin= g and=20 then decided they need to fix the code since I am now violating the audit= =20 standard by allowing for the mis-use of field encoding. They should proba= bly=20 both show (null) until this gets fixing in libselinux. -Steve