How do I figure out on what file dac_override is attempted?

[Eric Paris]

On Tue, 2010-01-19 at 09:57 -0500, Steve Grubb wrote:
> On Tuesday 19 January 2010 04:33:31 am Göran Uddeborg wrote:
> > Daniel J Walsh:
> > > If you use ausearch -m avc to look for this avc, is there some info
> > > setroubleshoot might have dropped?
> > 
> > It didn't miss anything.  It just gave exactly the same info as in the
> > end of the SETroubleshoot message.
> > 
> > (But looking at that and the surrounding events, I realised these
> > AVC:s happen when the machine goes down, not when it comes back up as
> > I first thought.  That could be one more clue.  I'll keep searching.)
> 
> There are 2 general issues. Finding and fixing the current problem and having 
> troubleshooting info for the next incident. To find the current issue, I think 
> all you have to do is add any audit rule which will turn on full auditing. 
> This should get the path record if one exists. You could add a rule like this 
> to /etc/audit/audit.rules:
> 
> -a always,exit -S personality
> 
> and that should be one that never triggers. 
> 
> But going a step further for the next incident, I think that on capability 
> denied decisions for: chown, dac_override, dac_read_search, fowner, fsetid, 
> and linux_immutable,  the object of the operation should be recorded and that 
> would be a file or directory. Device and inode should suffice.

The issue with any cap_* check is that there is no "object of the
operation."   Capabilities are really just checks for the process.  I
think the only way to get it is going to be to make sure you have an
audit rule and you'd get a name record.  I tend to use

-a exit,always -F arch=b32 -S kill -F pid=1

Which is sure to never trigger....

-Eric