From mboxrd@z Thu Jan  1 00:00:00 1970
From: Peng Haitao <penght@cn.fujitsu.com>
Subject: [PATCH] Fix a bug that use option '-p process-id' cannot search out
 all matched logs
Date: Thu, 11 Sep 2008 13:05:36 +0800
Message-ID: <48C8A720.60706@cn.fujitsu.com>
Mime-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
List-Unsubscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: Steve Grubb <sgrubb@redhat.com>
Cc: audit-list <linux-audit@redhat.com>
List-Id: linux-audit@redhat.com

Hello steve,

Use option '-p process-id' cannot search out the log which contains the given process-id and message type is AVC.

For example:
# echo 'type=AVC msg=audit(1221036190.313:3232615): avc:  denied  { append } for  pid=8961 comm="cupsd" path="/var/log/cups/access_log" dev=hda7 ino=1210126 scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 tcontext=system_u:object_r:file_t:s0 tclass=file' | ausearch -p 8961
<no matches>

Signed-off-by: Peng Haitao <penght@cn.fujitsu.com>

---
 src/ausearch-parse.c |   27 +++++++++++++++++++++------
 1 files changed, 21 insertions(+), 6 deletions(-)

diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index d2cb44d..e3ffa8c 100644
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -1209,11 +1209,26 @@ static int parse_avc(const lnode *n, search_items *s)
 		*term = ' ';
 	}
 
+	// get pid
+	str = strstr(term, "pid=");
+	if (str) {
+		str = str + 4;
+		term = strchr(str, ' ');
+		if (term == NULL)
+			return 3;
+		*term = 0;
+		errno = 0;
+		s->pid = strtoul(str, NULL, 10);
+		if (errno)
+			return 4;
+		*term = ' ';
+	}
+
 	if (event_comm && s->comm == NULL) {
 	// dont do this search unless needed
 		str = strstr(term, "comm=");
 		if (str == NULL) {
-			rc = 3;
+			rc = 5;
 			goto err;
 		}
 		str += 5;
@@ -1221,7 +1236,7 @@ static int parse_avc(const lnode *n, search_items *s)
 			str++;
 			term = strchr(str, '"');
 			if (term == NULL) {
-				rc = 4;
+				rc = 6;
 				goto err;
 			}
 			*term = 0;
@@ -1250,7 +1265,7 @@ static int parse_avc(const lnode *n, search_items *s)
 			str += 9;
 			term = strchr(str, ' ');
 			if (term == NULL) {
-				rc = 5;
+				rc = 7;
 				goto err;
 			}
 			*term = 0;
@@ -1266,7 +1281,7 @@ static int parse_avc(const lnode *n, search_items *s)
 			str += 9;
 			term = strchr(str, ' ');
 			if (term == NULL) {
-				rc = 6;
+				rc = 8;
 				goto err;
 			}
 			*term = 0;
@@ -1278,7 +1293,7 @@ static int parse_avc(const lnode *n, search_items *s)
 	// Now get the class...its at the end, so we do things different
 	str = strstr(term, "tclass=");
 	if (str == NULL) {
-		rc = 7;
+		rc = 9;
 		goto err;
 	}
 	str += 7;
@@ -1292,7 +1307,7 @@ static int parse_avc(const lnode *n, search_items *s)
 	if (audit_avc_init(s) == 0) {
 		alist_append(s->avc, &an);
 	} else {
-		rc = 8;
+		rc = 10;
 		goto err;
 	}
 
-- 
1.5.3


-- 
Regards
Peng Haitao