audisp-prelude login question

[LC Bruzenak]

On Thu, 2008-10-30 at 07:46 -0500, LC Bruzenak wrote:
> On Thu, 2008-10-30 at 06:34 -0400, Steve Grubb wrote:
> > 
> > Nope...somewhere the pam originating events are being eaten. You might strace 
> > an xdm login and look for some sendto's followed immediately by recvfrom's to 
> > the audit socket. If they are missing entirely, then xdm is not calling pam. 
> > If they are there, we'd want to look at the return code to see if its having 
> > an error. Is xdm running as root at the point pam is called? Are there 
> > selinux rules? Are there dontaudit rules eating this?
> > 

I removed the dontaudits with  semodule -DB and the events are still not
there. So I don't think my policy is eating them.
Also no strace joy yet because it looks like xdm launches something else
which does the authentication. 

So I went back to the gdm session which audits. I thought if I could see
the strace from that I'd know what to look for on the failing one. Here
is the USER_LOGIN event:
node=hugo type=USER_LOGIN msg=audit(10/30/2008 08:55:53.356:278784) : user pid=7417 uid=root auid=lenny subj=system_u:system_r:xdm_t:s0-s15:c0.c1023 msg='uid=lenny exe=/usr/libexec/gdm-session-worker (hostname=, addr=?, terminal=/dev/tty7 res=success)' 

So I attached strace to the running "gdm-session-worker" process but
that strace isn't particularly insightful (to me at least). How do I
know which one is the audit socket? 
I ran a known audit test program and there I could deduce the audit
socket because I could see the text I was sending in the strace; e.g.:
sendto(4, "\274\0\0\0a\4\5\0\1\0\0\0\0\0\0\0real-pri=2, real"..., 188, 0, {sa_family=AF_NETLINK, pid=0, groups=00000000}, 12) = 188

But looking earlier in the strace doesn't give me much clue as to FD=4
being the audit socket. 

Any suggestions are welcome; thanks again for the help!
LCB.
-- 
LC (Lenny) Bruzenak
lenny at magitekltd.com