On Mon, 13 Oct 2008, Steve Grubb wrote:
> On Monday 13 October 2008 18:54:50 James Morris wrote:
> > > 570 case AVC_AUDIT_DATA_CAP:
> > > 571 audit_log_format(ab, " capability=%d",
> > > a->u.cap); 572 break;
> >
> > Nope, the capability number is correctly recorded in a->u.cap, and you'll
> > also see capability2 as the tclass value.
>
> avc: denied { ipc_owner } for pid=4653 comm="ntpd" capability=15
> scontext=root:system_r:ntpd_t tcontext=root:system_r:ntpd_t
> tclass=capability
>
> Hmm...the tclass field, being at the end, has not been parsed at the moment I
> need it to decide what capability we are talking about. tclass really should
> have been moved up nearer the beginning if its being used to determine how to
> interpret other fields. It would be nicer if there was some hint at whether
> we are dealing with a cap1 or cap2 capability before the capability field. I
> guess my other choice is to drop interpretation of capabilities in ausearch
> since now I don't know which set to use until after I've already printed what
> I thought it was.
The capability number reported will be correct in its own right,
regardless of the class.
--
James Morris
<jmorris@xxxxxxxxx>
