How do I figure out on what file dac_override is attempted?

[Göran Uddeborg]

Stephen Smalley:
> To get object information, you need to enable
> syscall auditing, and add a trivial syscall filter to turn on pathname
> collection by the audit subsystem.

Thanks for that tip (all of you who gave it)!  I now know it is
/dev/fb that plymouthd can't access.  The audit record also told me it
was owned by a regular user and mode rw-------.  So now it makes
sense.  A root process would need dac_override to open that file.