The CONTAINER_ID record contid field can contain comma-separated values when accompanying a NETFILTER_PKT record. Records appeared interpreted as such: Wrong: CONTAINER_ID msg=audit(2019-04-10 13:20:18.746:1690) : contid=777 666,333 Right: CONTAINER_ID msg=audit(2019-04-10 13:20:18.746:1690) : contid=777,666,333 Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx> --- src/ausearch-report.c | 6 ++++-- 1 file changed, 4 insertions(+), 2 deletions(-) diff --git a/src/ausearch-report.c b/src/ausearch-report.c index 416c2b13fa6a..754b28af2cb6 100644 --- a/src/ausearch-report.c +++ b/src/ausearch-report.c @@ -279,7 +279,7 @@ no_print: if (str && val && (str < val)) { // Value side has commas and another field exists // Known: LABEL_LEVEL_CHANGE banners=none,none - // Known: ROLL_ASSIGN new-role=r,r + // Known: ROLE_ASSIGN new-role=r,r // Known: any MAC LABEL can potentially have commas int ftype = auparse_interp_adjust_type(n->type, name, val); @@ -293,9 +293,11 @@ no_print: } else if (str && (val == NULL)) { // Goes all the way to the end. Done parsing // Known: MCS context in PATH rec obj=u:r:t:s0:c2,c7 + // Known: CONTAINER_ID/OP old-/contid can be a comma-separated list int ftype = auparse_interp_adjust_type(n->type, name, ptr); - if (ftype == AUPARSE_TYPE_MAC_LABEL) + if (ftype == AUPARSE_TYPE_MAC_LABEL + || ftype == AUPARSE_TYPE_CONTID) str = NULL; else { *str++ = 0; -- 1.8.3.1 _______________________________________________ Containers mailing list Containers@xxxxxxxxxxxxxxxxxxxxxxxxxx https://lists.linuxfoundation.org/mailman/listinfo/containers