This patch came from our L3 department. AppArmor LSM is logging using the common_lsm_audit() call but the audit userspace parsing code expects to see an SELinux tclass field. This patch doesn't address the lack of support for AppArmor in "aureport --avc". Talking to Seth Arnold, Canonical apparently has patches for this; if this is true perhaps they can post for inclusion.
Based-on-work-by: William Preston <[email protected]> Signed-off-by: Tony Jones <[email protected]> --- a/src/ausearch-parse.c 2014-05-21 14:45:22.000000000 +0200 +++ b/src/ausearch-parse.c 2014-05-21 14:53:55.000000000 +0200 @@ -1735,17 +1735,15 @@ static int parse_avc(const lnode *n, sea // Now get the class...its at the end, so we do things different str = strstr(term, "tclass="); - if (str == NULL) { - rc = 9; - goto err; + if (str) { + str += 7; + term = strchr(str, ' '); + if (term) + *term = 0; + an.avc_class = strdup(str); + if (term) + *term = ' '; } - str += 7; - term = strchr(str, ' '); - if (term) - *term = 0; - an.avc_class = strdup(str); - if (term) - *term = ' '; if (audit_avc_init(s) == 0) { alist_append(s->avc, &an); -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
