Bug 461783 - audit record ID header syntax change of "host" to "node"
audit record ID header syntax change of "host" to "node"
Product: Fedora
Classification: Fedora
Component: setroubleshoot (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: John Dennis
Fedora Extras Quality Assurance
Depends On:
  Show dependency treegraph
Reported: 2008-09-10 11:31 EDT by John Dennis
Modified: 2008-09-10 12:38 EDT (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-09-10 12:38:10 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description John Dennis 2008-09-10 11:31:42 EDT
The audit system recently began prepending audit records with the host name. This information supposed to have been formatted thusly:

host=foo.example.com type=AVC_PATH msg=audit(1166045975.667:1128):

however the field name was later changed to "node", e.g.:

node=foo.example.com type=AVC_PATH msg=audit(1166045975.667:1128):

on the belief a field name of "host" would conflict with other uses of the field "host" which might appear elsewhere in audit records (technically this is not valid because the two uses of "host" appear in semantically different portions of the audit record and thus do not conflict and a good parser can tell the difference). 

Thus we need to change the field "host" to "node" when parsing the audit record ID header. We also need to change the framework/test/data/audit/* files because they no longer match what the audit system actually emits.
Comment 1 John Dennis 2008-09-10 12:38:10 EDT
I've made the fixes, checked them into mercurial. However, I have not tested the fix (only needed to fix where we read the value and where we write it, both pretty simple, I expect it will work fine, plus you only hit this code if the node name reporting feature is turned on in audit, normally it's not).

Note You need to log in before you can comment on or make changes to this bug.