[PATCH] Fix a bug of executing "aureport -a"

[PATCH] Fix a bug of executing "aureport -a"

[Peng Haitao]

Hello steve,

Use option "-a" cannot report about avc messages, when message type is USER_AVC.

# echo "type=USER_AVC msg=audit(1221967380.698:35458): user pid=8185 uid=81 auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0 msg='avc:  received policyload notice (seqno=6) : exe=\"?\" (sauid=81, hostname=?, addr=?, terminal=?)'" | aureport -a

AVC Report
========================================================
# date time comm subj syscall class permission obj event
========================================================
<no events of interest were found>

Signed-off-by: Peng Haitao <penght@cn.fujitsu.com>

---
 src/aureport-scan.c |    3 +++
 1 files changed, 3 insertions(+), 0 deletions(-)

diff --git a/src/aureport-scan.c b/src/aureport-scan.c
index f42cf12..9374a02 100644
--- a/src/aureport-scan.c
+++ b/src/aureport-scan.c
@@ -449,6 +449,9 @@ static int per_event_detailed(llist *l)
 			if (list_find_msg(l, AUDIT_AVC)) {
 				print_per_event_item(l);
 				rc = 1;
+			} else if (list_find_msg(l, AUDIT_USER_AVC)) {
+				print_per_event_item(l);
+				rc = 1;
 			}
 			break;
 		case RPT_MAC:
-- 
1.5.3


-- 
Regards
Peng Haitao

Re: [PATCH] Fix a bug of executing "aureport -a"

[Steve Grubb]

On Friday 19 September 2008 23:39:36 Peng Haitao wrote:
> Use option "-a" cannot report about avc messages, when message type is
> USER_AVC.

Applied. Thanks for the patch. 

I quit working on USER_AVCs earlier this year because the source of the AVCs 
were not following the conventions we had long established about encoding 
certain fields. I don't know the current state or how many bugs you will 
find. One of the APIs added in 1.7.7 should help the writers of user space 
AVCs to properly encode some fields.

-Steve