Comment 63 for bug 1160372

(In reply to comment #11)
> Well, I suspect the pam subsystem try to open a /dev/log.

PAM calls syslog(), which I assumes opens /dev/log.

> 2013-02-21T14:20:17.693042+01:00 linux-xtv2 vsftpd[1]: pam_unix(vsftpd:auth):
> authentication failure; logname= uid=0 euid=0 tty=ftp ruser=mvyskocil rhost=::1
> user=mvyskocil
> 2013-02-21T14:20:18.407159+01:00 linux-xtv2 vsftpd[1]: pam_sss(vsftpd:auth):
> authentication success; logname= uid=0 euid=0 tty=ftp ruser=mvyskocil rhost=::1
> user=mvyskocil
> 2013-02-21T14:20:18.409089+01:00 linux-xtv2 vsftpd[1]: PAM
> audit_log_acct_message() failed: Operation not permitted
> 2013-02-21T14:20:18.411338+01:00 linux-xtv2 vsftpd[1]: [mvyskocil] FAIL LOGIN:
> Client "::1"
>
> @thorsen: I would say both CAP_AUDIT_* are needed for vsftpd. I'm right?

I have no idea about CAP_AUDIT_*, but PAM is using the audit subsystem for logging.