Steve Grubb:
The problem is that if you don't have auditing enabled and later
in the
syscall have an AVC, the data you need may be gone. The AVC has the device and
inode,
This I don't understand. The raw audit records WERE included in the
message. (I repeat them below.) But they don't include any inode.
Does setroubleshoot give instruction
how to use the inode and device with the find command?
No, but I would know how to do it. If I had any device/inode to
search for.
Raw Audit Messages
node=freddi type=AVC msg=audit(1263843455.583:203): avc: denied { dac_override } for
pid=6050 comm="plymouthd" capability=1 scontext=system_u:system_r:plymouthd_t:s0
tcontext=system_u:system_r:plymouthd_t:s0 tclass=capability
node=freddi type=SYSCALL msg=audit(1263843455.583:203): arch=c000003e syscall=2 success=no
exit=-19 a0=d13a60 a1=2 a2=0 a3=7fff3cad2310 items=0 ppid=1 pid=6050 auid=4294967295 uid=0
gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295
comm="plymouthd" exe="/sbin/plymouthd"
subj=system_u:system_r:plymouthd_t:s0 key=(null)