6bfa6d
diff -urp audit-3.0.orig/src/ausearch-parse.c audit-3.0/src/ausearch-parse.c
6bfa6d
--- audit-3.0.orig/src/ausearch-parse.c	2019-03-15 15:30:39.000000000 -0400
6bfa6d
+++ audit-3.0/src/ausearch-parse.c	2019-04-16 16:08:52.862402589 -0400
6bfa6d
@@ -49,7 +49,7 @@ static int parse_dir(const lnode *n, sea
6bfa6d
 static int common_path_parser(search_items *s, char *path);
6bfa6d
 static int avc_parse_path(const lnode *n, search_items *s);
6bfa6d
 static int parse_path(const lnode *n, search_items *s);
6bfa6d
-static int parse_user(const lnode *n, search_items *s);
6bfa6d
+static int parse_user(const lnode *n, search_items *s, anode *avc);
6bfa6d
 static int parse_obj(const lnode *n, search_items *s);
6bfa6d
 static int parse_login(const lnode *n, search_items *s);
6bfa6d
 static int parse_daemon1(const lnode *n, search_items *s);
6bfa6d
@@ -105,7 +105,7 @@ int extract_search_items(llist *l)
6bfa6d
 			case AUDIT_FIRST_USER_MSG...AUDIT_USER_END:
6bfa6d
 			case AUDIT_USER_CHAUTHTOK...AUDIT_LAST_USER_MSG:
6bfa6d
 			case AUDIT_FIRST_USER_MSG2...AUDIT_LAST_USER_MSG2:
6bfa6d
-				ret = parse_user(n, s);
6bfa6d
+				ret = parse_user(n, s, NULL);
6bfa6d
 				break;
6bfa6d
 			case AUDIT_SOCKADDR:
6bfa6d
 				ret = parse_sockaddr(n, s);
6bfa6d
@@ -830,7 +830,7 @@ static int parse_obj(const lnode *n, sea
6bfa6d
 	return 0;
6bfa6d
 }
6bfa6d
 
6bfa6d
-static int parse_user(const lnode *n, search_items *s)
6bfa6d
+static int parse_user(const lnode *n, search_items *s, anode *avc)
6bfa6d
 {
6bfa6d
 	char *ptr, *str, *term, saved, *mptr;
6bfa6d
 
6bfa6d
@@ -915,7 +915,10 @@ static int parse_user(const lnode *n, se
6bfa6d
 			if (term == NULL)
6bfa6d
 				return 12;
6bfa6d
 			*term = 0;
6bfa6d
-			if (audit_avc_init(s) == 0) {
6bfa6d
+			if (avc) {
6bfa6d
+				avc->scontext = strdup(str);
6bfa6d
+				*term = ' ';
6bfa6d
+			} else if (audit_avc_init(s) == 0) {
6bfa6d
 				anode an;
6bfa6d
 
6bfa6d
 				anode_init(&an);
6bfa6d
@@ -926,6 +929,31 @@ static int parse_user(const lnode *n, se
6bfa6d
 				return 13;
6bfa6d
 		}
6bfa6d
 	}
6bfa6d
+	// optionally get tcontext
6bfa6d
+	if (avc && event_object) {
6bfa6d
+		// USER_AVC tcontext
6bfa6d
+		str = strstr(term, "tcontext=");
6bfa6d
+		if (str != NULL) {
6bfa6d
+			str += 9;
6bfa6d
+			term = strchr(str, ' ');
6bfa6d
+			if (term) {
6bfa6d
+				*term = 0;
6bfa6d
+				avc->tcontext = strdup(str);
6bfa6d
+				*term = ' ';
6bfa6d
+			}
6bfa6d
+		}
6bfa6d
+		// Grab tclass if it exists
6bfa6d
+		str = strstr(term, "tclass=");
6bfa6d
+		if (str) {
6bfa6d
+			str += 7;
6bfa6d
+			term = strchr(str, ' ');
6bfa6d
+			if (term) {
6bfa6d
+				*term = 0;
6bfa6d
+				avc->avc_class = strdup(str);
6bfa6d
+				*term = ' ';
6bfa6d
+			}
6bfa6d
+		}
6bfa6d
+	}
6bfa6d
 	// optionally get gid
6bfa6d
 	if (event_gid != -1) {
6bfa6d
 		if (n->type == AUDIT_ADD_GROUP || n->type == AUDIT_DEL_GROUP ||
6bfa6d
@@ -1880,7 +1908,7 @@ static int parse_avc(const lnode *n, sea
6bfa6d
 other_avc:
6bfa6d
 	// User AVC's are not formatted like a kernel AVC
6bfa6d
 	if (n->type == AUDIT_USER_AVC) {
6bfa6d
-		rc = parse_user(n, s);
6bfa6d
+		rc = parse_user(n, s, &an);
6bfa6d
 		if (rc > 20)
6bfa6d
 			rc = 0;
6bfa6d
 		if (audit_avc_init(s) == 0) {
6bfa6d
diff -urp audit-3.0.orig/src/ausearch-string.c audit-3.0/src/ausearch-string.c
6bfa6d
--- audit-3.0.orig/src/ausearch-string.c	2019-03-15 15:30:39.000000000 -0400
6bfa6d
+++ audit-3.0/src/ausearch-string.c	2019-04-16 15:55:39.186487759 -0400
6bfa6d
@@ -118,6 +118,9 @@ int slist_add_if_uniq(slist *l, const ch
6bfa6d
 	snode sn;
6bfa6d
         register snode *cur;
6bfa6d
 
6bfa6d
+	if (str == NULL)
6bfa6d
+		return -1;
6bfa6d
+
6bfa6d
        	cur = l->head;
6bfa6d
 	while (cur) {
6bfa6d
 		if (strcmp(str, cur->str) == 0) {