Q: normalize AUDIT_SELINUX_ERR records

[rgbriggs]

@stevegrubb Are these worth normalizing the listed fields?

• security/selinux/ss/services.c:security_validtrans_handle_fail():
  • "op=security_validate_transition seresult=denied oldcontext=%s newcontext=%s taskcontext=%s tclass=%s"
• security/selinux/ss/services.c:security_bounded_transition()
  • "op=security_bounded_transition seresult=denied oldcontext=%s newcontext=%s"
• security/selinux/ss/services.c:compute_sid_handle_invalid_context()
  • "op=security_compute_sid invalid_context=%s scontext=%s tcontext=%s tclass=%s"
• security/selinux/ss/services.c:security_sid_mls_copy()
  • "op=security_sid_mls_copy invalid_context=%s"

Should "oldcontext" be switched to "old-scontext", "newcontext" to "scontext", "taskcontext" to "tcontext"?

[stevegrubb]

Sure. That said, you'd need permission from selinux community to mess with their events.

[pcmoore]

I'm really not sure this is worth the risk; we stand a reasonable chance of breaking stuff (setroubleshoot, audit2allow, etc.) simply so the output is a little more consistent. Consistency is nice, but I think we missed our opportunity here.

Perhaps most importantly, as the SELinux kernel maintainer I'm going to NACK this for the time being, so let's close this as WONTFIX.