Hello Casey, On Monday, May 24, 2021 11:53:30 AM EDT Casey Schaufler wrote: > On 5/22/2021 7:00 PM, Steve Grubb wrote: > > On Friday, May 21, 2021 6:05:41 PM EDT Casey Schaufler wrote: > >>>> The record is produced only in cases where there is more than one > >>>> security module with a process "context". > >>>> In cases where this record is produced the subj= fields of > >>>> other records in the audit event will be set to "subj=?". > >>>> > >>>> An example of the MAC_TASK_CONTEXTS (1420) record is: > >>>> > >>>> type=UNKNOWN[1420] > >>>> msg=audit(1600880931.832:113) > >>>> subj_apparmor==unconfined > >>> > >>> It should be just a single "=" in the line above. > >> > >> AppArmor provides the 2nd "=" as part of the subject context. > >> What's here is correct. I won't argue that it won't case confusion > >> or worse. > > > > We have a specification for a very long time: > > > > https://github.com/linux-audit/audit-documentation/wiki/SPEC-Writing-Good > > -Events > > > > Everyone has to obey rules or no tools work. > > Right. Would quoting the value subj_apparmor="=unconfined" suffice?
Yes, if you really need that '=' as part of the value. I'd try to do away with it entirely if possible. Generally '==' is used to convey "equal to". Where '=' means "is assigned". I'd argue that they are interchangable in meaning and can simply be converted to the log's expected format. > I think that's what the rulebook says, but I like to be sure. :-) -Steve -- Linux-audit mailing list [email protected] https://listman.redhat.com/mailman/listinfo/linux-audit
