Problem meeting FAU_SEL with trusted programs

After posting my patch last week I got some feedback about a problem with FAU_SEL.1 Selectable Audit and FAU_SAR.3 Selectable Audit Review. Since cups is generating audit messages on behalf of the user the uid and auid fields in the record are those of cupsd and not the user who submitted the print job. type=USER_LABELED_EXPORT msg=audit(1139496671.166:828): user pid=20396 uid=0 auid=4294967295 msg='job=21 user="mra" printer="localp" with labels "secret" "secret": exe="/usr/sbin/cupsd" (hostname=orb.zko.hp.com, addr=16.116.96.203, terminal=pts/1 res=success)' Even if the audit message string was changed to include 'uid=500' there would still be a discrepancy between the various fields of the record. I mentioned this on #audit and Steve said he could add the ability to ausearch to look for the uid= substring in the message, but I'm not sure that meets the first requirement. If we have two uid and auid fields in all of these trusted program generated messages is it always the one in the message string that is correct? Does ausearch always have to look into the message string to see if there is a (a)uid there to match on? Can a trusted program be trusted to pass in the auid and uid to audit? If it can then there would be only one uid and auid in the record, do we need the identification information about the trusted program which passed this data to the kernel? It seems like other trusted programs (at least cron) will also have this problem of a server generating messages on behalf of a user and needing to pass audit records into the kernel with that user's information. Don't we need an audit interface to support that? -matt