Description of problem:
I am submitting this under selinux-policy as I can't see a generic selinux category or something specific to SELinux Alert Browser. Please file under correct category if I missed it.

I searched bug database under SELinux alert, SELinux warning, and SElinux. The first two showed nothing, the third had a whole lot but nothing that I could decipher as being close to this.

On F14 x86_64 using Gnome, I would get a pop-up when SELinux would issue a warning that I could then see in the SELinux Alert Browser (and could match up with what I saw in /var/log/audit/audit.log)

In F16 i686 using Xfce, I do not get any clue that a warning has occurred and, when I bring up SELinux Troubleshooter to get the SELinux Alert Browser, it says there have been no warnings yet I can see them in /var/log/audit/audit.log.

I suspect the lack of a pop-up has to do with it not thinking a warning has occurred.

For testing, I am using my example from Bug 720223 in which I have a call to clamscan inside rc.local (the bug was incorrectly closed by me as I just discovered the warning in the log file today --- I am trying to reopen it). I have the call in a script so I can wrap it in a setenforce 0/1 to make errors into warnings (I tested without the wrapper awhile back and got same behavior for 720223 --- don't think such is an issue in this bug where its just Alert Browser not seeing warning in log file).

Version-Release number of selected component (if applicable):
F14:
  uname: 2.6.35.14-106.fc14.x86_64
  libselinux: 2.0.96-6.fc14.1
  selinux-policy: 3.9.7-46.fc14

F16:
  uname: 3.1.9-1/fc16.i686 PAE
  libselinux: 2.1.6-5.fc16
  selinux-policy: 3.10.0-71.fc16

How reproducible:
100%

Steps to Reproduce:
1. on F16 machine, edit a marker tag into /var/log/audit/audit.log
2. cycle power or reboot
3. assuming you've put clamscan (or something else that will generate warnings) in the rc.local, you should be able to view /var/log/audit/audit.log and see those "avc: denied" warnings after your marker
4. bring up SELinux TroubleShooter and SELinux Alert Browser will indicate that there are no warnings
  
Actual results:
Warnings have occurred and I haven't been notified

Expected results:
Like F14, I should get a pop-up warning and, when looking in SELinux Alert Browser, I should see those warnings

Additional info:
I do not get any clamscan warnings if I run it as a cron job or directly execute as root ... the only place I see that bug is from a command inside rc.local (as in Bug 720223). It just so happens that using that bug as a test case displays this bug.

I discovered this while trying to give more information for Bug 783364. I might have things not clearly separated between these two bugs and this new one that I am reporting ... please advise if I am doing a bad juggling job (smile)

I put this as a "medium" as I haven't hit a situation where not knowing about a warning is important, but I could easily imagine a different usage where such would make the bug more important.

Please let me know what more info I can give. If you want, I will send you an edited version of /var/log/audit/audit.log ... I just like to know what I need to send with it to show that SELinux Alert Browser doesn't think there have been any warnings as that seems to be problem.

Thanks,
Paul