From mboxrd@z Thu Jan  1 00:00:00 1970
From: Steve Grubb <sgrubb@redhat.com>
Subject: Kernel patches needed
Date: Thu, 09 May 2013 09:26:58 -0400
Message-ID: <6029710.WhGyKOtD7f@x2>
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Return-path: <linux-audit-bounces@redhat.com>
Received: from x2.localnet (vpn-239-226.phx2.redhat.com [10.3.239.226])
	by int-mx12.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id r49DR4JG006985
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-SHA bits=256 verify=NO)
	for <linux-audit@redhat.com>; Thu, 9 May 2013 09:27:04 -0400
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
List-Id: linux-audit@redhat.com

Hi,

I was just doing some validation work to make sure the newly converted 
ausearch is producing the exact same output as it used to...and found a couple 
items that needs patching.

1) AUDIT_TTY events are not recording a subject field.
2) AVC records can sometimes have dev="md1". The dev field is documented as 
being the numeric device number. Cases like this should be changed to 
"devname" which can be encoded.
3) We might need a supplemental record for *setxattr. The flags field is the 
fifth argument and not recorded anywhere.

Thanks,
-Steve