From mboxrd@z Thu Jan 1 00:00:00 1970 From: Tony Jones Subject: [PATCH] userspace: audit: ausearch doesn't return entries for AppArmor events that exist in the log Date: Wed, 28 May 2014 15:33:06 -0700 Message-ID: <53866422.5010709@suse.de> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: seth.arnold@canonical.com, wpreston@suse.com List-Id: linux-audit@redhat.com This patch came from our L3 department. AppArmor LSM is logging using the common_lsm_audit() call but the audit userspace parsing code expects to see an SELinux tclass field. This patch doesn't address the lack of support for AppArmor in "aureport --avc". Talking to Seth Arnold, Canonical apparently has patches for this; if this is true perhaps they can post for inclusion. Based-on-work-by: William Preston Signed-off-by: Tony Jones --- a/src/ausearch-parse.c 2014-05-21 14:45:22.000000000 +0200 +++ b/src/ausearch-parse.c 2014-05-21 14:53:55.000000000 +0200 @@ -1735,17 +1735,15 @@ static int parse_avc(const lnode *n, sea // Now get the class...its at the end, so we do things different str = strstr(term, "tclass="); - if (str == NULL) { - rc = 9; - goto err; + if (str) { + str += 7; + term = strchr(str, ' '); + if (term) + *term = 0; + an.avc_class = strdup(str); + if (term) + *term = ' '; } - str += 7; - term = strchr(str, ' '); - if (term) - *term = 0; - an.avc_class = strdup(str); - if (term) - *term = ' '; if (audit_avc_init(s) == 0) { alist_append(s->avc, &an);