On Mon, Aug 8, 2022 at 1:36 PM Christian Göttsche <cgzones@xxxxxxxxxxxxxx> wrote: > > Do not add a final newline to the avc log message as it will be treated > as a part of the tclass field in final audit record: > > { > "AUDIT_FIELD_EXE" : "/usr/bin/dbus-broker", > "_UID" : "104", > "_AUDIT_SESSION" : "4294967295", > "_TRANSPORT" : "audit", > "__REALTIME_TIMESTAMP" : "1659975331468531", > "_AUDIT_TYPE" : "1107", > "AUDIT_FIELD_SCONTEXT" : "system_u:system_r:systemd_t:s0", > "_AUDIT_LOGINUID" : "4294967295", > "_SELINUX_CONTEXT" : "system_u:system_r:system_dbusd_t:s0-s0:c0.c1023", > "AUDIT_FIELD_SAUID" : "104", > "MESSAGE" : "USER_AVC pid=1538 uid=104 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for scontext=system_u:system_r:systemd_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus\n exe=\"/usr/bin/dbus-broker\" sauid=104 hostname=? addr=? terminal=?'", > "AUDIT_FIELD_TCONTEXT" : "system_u:system_r:systemd_logind_t:s0", > "_SOURCE_REALTIME_TIMESTAMP" : "1659975331462000", > "__MONOTONIC_TIMESTAMP" : "207995768", > "AUDIT_FIELD_TCLASS" : "dbus\n", > "AUDIT_FIELD_TERMINAL" : "?", > "_PID" : "1538", > "SYSLOG_FACILITY" : "4", > "_BOOT_ID" : "3921464b65f64fb4a7c037dee97cd6ad", > "SYSLOG_IDENTIFIER" : "audit", > "_MACHINE_ID" : "5d78c28f10d54c0fb7b6fd1acc6af8ff", > "_AUDIT_TYPE_NAME" : "USER_AVC", > "__CURSOR" : "s=84589ce96ff8400189fc515ff892674a;i=c38e;b=3921464b65f64fb4a7c037dee97cd6ad;m=c65c378;t=5e5bd1ff7d4f3;x=c22e610fc9b00b10", > "AUDIT_FIELD_ADDR" : "?", > "AUDIT_FIELD_HOSTNAME" : "?", > "_AUDIT_ID" : "1075", > "_HOSTNAME" : "debianBullseye" > } > > Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx> Acked-by: James Carter <jwcart2@xxxxxxxxx> > --- > libselinux/src/avc.c | 1 - > 1 file changed, 1 deletion(-) > > diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c > index 7493e4b2..8d5983a2 100644 > --- a/libselinux/src/avc.c > +++ b/libselinux/src/avc.c > @@ -725,7 +725,6 @@ void avc_audit(security_id_t ssid, security_id_t tsid, > if (denied) > log_append(avc_audit_buf, " permissive=%u", result ? 0 : 1); > > - log_append(avc_audit_buf, "\n"); > avc_log(SELINUX_AVC, "%s", avc_audit_buf); > > avc_release_lock(avc_log_lock); > -- > 2.36.1 >