interpret: correctly identify embedded fields #463
Conversation
|
2 thoughts: Is this being fixed at the source of the problem? meaning, has this been addressed upstream in the code that creates records with extra spaces in it? The other thought, there is code in ellist.c, parse_up_record, that is responsible for splitting up the record into name=value pairs. This is probably the better place to remove the whitespace. |
|
Or if this is being shown by the ausearch program, there is code in ausearch-parse.c, parse_avc, that splits this into name=value pairs. When it gets to interpret, it should have been properly split up already. I agree that you found an issue that needs addressing. I think the place where the fix should go is somewhere else. |
|
The interpretations subsystem expects everything to be cleaned up. The layer above this that does the parsing is where the problem is for not getting rid of the whitespace. Is this report about event parsing in the auparse library? I just looked through ausearch-parse.c and it should be parsing OK. |
Embedded fields, e.g. from libselinux in AVC records, are currently not
correctly identified due to the name having trailing whitespaces. This
leads to security contexts with MCS categories to be split, e.g.:
from
time->Fri Jun 13 23:26:09 2025
type=PROCTITLE msg=audit(1749849969.631:6691): proctitle=2F7573722F62696E2F706870002D66002F7661722F7777772F73697465732F6E657874636C6F75642F63726F6E2E706870
type=SYSCALL msg=audit(1749849969.631:6691): arch=c000003e syscall=64 success=no exit=-13 a0=7ea a1=3 a2=3b6 a3=7d6a32a17460 items=0 ppid=1 pid=200718 auid=4294967295 uid=33 gid=33 euid=33 suid=33 fsuid=33 egid=33 sgid=33 fsgid=33 tty=(none) ses=4294967295 comm="php" exe="/usr/bin/php8.4" subj=system_u:system_r:nextcloudcron_t:s0:c123,c456 key=(null)
type=AVC msg=audit(1749849969.631:6691): avc: denied { create } for pid=200718 comm="php" ipc_key=2026 scontext=system_u:system_r:nextcloudcron_t:s0:c123,c456 tcontext=system_u:system_r:nextcloudcron_t:s0:c123,c456 tclass=sem permissive=0
into
type=PROCTITLE msg=audit(06/13/25 23:26:09.631:6691) : proctitle=/usr/bin/php -f /var/www/sites/nextcloud/cron.php
type=SYSCALL msg=audit(06/13/25 23:26:09.631:6691) : arch=x86_64 syscall=semget success=no exit=EACCES(Permission denied) a0=0x7ea a1=0x3 a2=0x3b6 a3=0x7d6a32a17460 items=0 ppid=1 pid=200718 auid=unset uid=www-data gid=www-data euid=www-data suid=www-data fsuid=www-data egid=www-data sgid=www-data fsgid=www-data tty=(none) ses=unset comm=php exe=/usr/bin/php8.4 subj=system_u:system_r:nextcloudcron_t:s0:c123,c456 key=(null)
type=AVC msg=audit(06/13/25 23:26:09.631:6691) : avc: denied { create } for pid=200718 comm=php ipc_key=2026 scontext=system_u:system_r:nextcloudcron_t:s0:c123 c456 tcontext=system_u:system_r:nextcloudcron_t:s0:c123 c456 tclass=sem permissive=0
(note the missing comma for scontext and tcontext in the AVC record between c123 and c456)
Ignore leading white spaces in names to correctly identify " scontext"
as AUPARSE_TYPE_MAC_LABEL and avoid splitting its value on commas.
|
Relocated the fix |
|
Thanks |
2 participants
Embedded fields, e.g. from libselinux in AVC records, are currently not correctly identified due to the name having trailing whitespaces. This leads to security contexts with MCS categories to be split, e.g.:
from
into
(note the missing comma for scontext and tcontext in the AVC record between c123 and c456)
Ignore leading white spaces in names to correctly identify " scontext" as AUPARSE_TYPE_MAC_LABEL and avoid splitting its value on commas.