On 5/22/2021 7:00 PM, Steve Grubb wrote: > On Friday, May 21, 2021 6:05:41 PM EDT Casey Schaufler wrote: >>>> The record is produced only in cases where there is more than one >>>> security module with a process "context". >>>> In cases where this record is produced the subj= fields of >>>> other records in the audit event will be set to "subj=?". >>>> >>>> An example of the MAC_TASK_CONTEXTS (1420) record is: >>>> >>>> type=UNKNOWN[1420] >>>> msg=audit(1600880931.832:113) >>>> subj_apparmor==unconfined >>> It should be just a single "=" in the line above. >> AppArmor provides the 2nd "=" as part of the subject context. >> What's here is correct. I won't argue that it won't case confusion >> or worse. > We have a specification for a very long time: > > https://github.com/linux-audit/audit-documentation/wiki/SPEC-Writing-Good-Events > > Everyone has to obey rules or no tools work.
Right. Would quoting the value subj_apparmor="=unconfined" suffice? I think that's what the rulebook says, but I like to be sure. -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
