Steve Grubb:
The problem is that if you don't have auditing enabled and later in the syscall have an AVC, the data you need may be gone. The AVC has the device and inode,
This I don't understand. The raw audit records WERE included in the message. (I repeat them below.) But they don't include any inode.
Does setroubleshoot give instruction how to use the inode and device with the find command?
No, but I would know how to do it. If I had any device/inode to search for.
Raw Audit Messages
node=freddi type=AVC msg=audit(1263843455.583:203): avc: denied { dac_override } for pid=6050 comm="plymouthd" capability=1 scontext=system_u:system_r:plymouthd_t:s0 tcontext=system_u:system_r:plymouthd_t:s0 tclass=capability
node=freddi type=SYSCALL msg=audit(1263843455.583:203): arch=c000003e syscall=2 success=no exit=-19 a0=d13a60 a1=2 a2=0 a3=7fff3cad2310 items=0 ppid=1 pid=6050 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) ses=4294967295 comm="plymouthd" exe="/sbin/plymouthd" subj=system_u:system_r:plymouthd_t:s0 key=(null)
selinux@lists.fedoraproject.org