Hello steve,
The value of "exe=" which is not in double quotation, cannot be right gotten.
For example:
# echo "type=USER_ROLE_CHANGE msg=audit(1219940034.985:363068): user pid=24741
uid=0 auid=0 subj=root:system_r:semanage_t:s0-s0:c0.c1023 msg='op=delete
SELinux user mapping acct="sltester" old-seuser=? old-role=? old-range=?
new-seuser=? new-role=? new-range=? exe=/usr/sbin/semanage (hostname=?, addr=?,
terminal=? res=failed)'" | ausearch -x "/usr/sbin/semanage"
<no matches>
Signed-off-by: Peng Haitao <[EMAIL PROTECTED]>
---
src/ausearch-parse.c | 22 ++++++++++++++++++++--
1 files changed, 20 insertions(+), 2 deletions(-)
diff --git a/src/ausearch-parse.c b/src/ausearch-parse.c
index b80b984..1bc598f 100644
--- a/src/ausearch-parse.c
+++ b/src/ausearch-parse.c
@@ -871,8 +871,26 @@ static int parse_user(const lnode *n, search_items *s)
*term = 0;
s->exe = strdup(str);
*term = '"';
- } else
- s->exe = unescape(str);
+ } else {
+ char *end = str;
+ int legacy = 0;
+
+ while (*end != ' ') {
+ if (!isxdigit(*end)) {
+ legacy = 1;
+ }
+ end++;
+ }
+ term = end;
+ if (!legacy)
+ s->exe = unescape(str);
+ else {
+ saved = *term;
+ *term = 0;
+ s->exe = strdup(str);
+ *term = saved;
+ }
+ }
}
}
--
1.5.3
--
Regards
Peng Haitao
--
Linux-audit mailing list
[email protected]
https://www.redhat.com/mailman/listinfo/linux-audit
