Format of AUDIT_AVC record:

Every AUDIT_AVC record contains:

    "avc:  denied|granted for "

if access vector empty then:
    "null"
else:
    "{ access1 access2 ... accessN }"
    Note: if any access names are not known then hex string 0x%x will be included
    with the bits set in the vector which could not be converted

Then may contain task information:

    "pid=%d comm=%s"
    pid: the numeric process id
    comm: command line program name

Then depending on the type of AVC, which may be one of:
AVC_AUDIT_DATA_IPC
AVC_AUDIT_DATA_CAP
AVC_AUDIT_DATA_FS
AVC_AUDIT_DATA_NET

The following fields occur depending on the type:

AVC_AUDIT_DATA_IPC

    "key=%d"
    key: ?? ipc id

AVC_AUDIT_DATA_CAP

    "capability=%d"
    capability: ??

AVC_AUDIT_DATA_FS

    if there is a directory entry:
        if the file system is known:
            "path=%s"
            path: file system path name
        else:
            "name=%s"
	    name: file name (e.g. basename)
    else if there is an inode:
        if there is an alias for the inode:
            "name=%s"
	    name: file name (e.g. basename)
        "dev=%s ino=%lu"
        dev: device name as found in /dev
        ino: numeric inode value ?? is this field sometimes "ino" and other times "inode"?


AVC_AUDIT_DATA_NET

    if socket info available:
        if AF_INET or AF_INET6:
	    "laddr=%s lport=%d faddr=%s" fport=%d"
	    laddr: local address (i.e. source address) ?? is this the same as "saddr"?
	    lport: local port (i.e. source port)
	    faddr: foreign address (i.e. destination address) ?? is this the same as "addr"?
	    fport: foreign port (i.e. desination port)
	else if AF_UNIX:
            "path=%s"
	    path: UNIX socket path name
    if AF_INET or AF_INET6
        "saddr=%s src=%d daddr=%s dest=%d"
	saddr: source address
        src: source port
        daddr: destination address
        dest: destination port
    if network interface available:
        "netif=%s"
	netif: 


The following fields describe the security information:

If there was an error formatting the subject context string::
    "ssid=%d"
    ssid: subject security SID
else:
    "scontext=%s"
    scontext: the subject's context string

If there was an error formatting the target context string::
    "tsid=%d"
    tsid: target security SID
else:
    "tcontext=%s"
    tcontext: the target's context string

"tclass=%s"
tclass: target's object classification
------------------------------------

	a? - alphanumeric, the arguments to a syscall
	acct - alphanumeric, a user's account name
	addr - the remote address that the user is connecting from
	arch - numeric, the elf architecture flags
	audit_backlog_limit - numeric, audit system's backlog queue size
	audit_enabled - numeric, audit systems's enable/disable status
	audit_failure - numeric, audit system's failure mode
	auid - numeric, login user id
	comm - alphanumeric, command line program name
	cwd - path name, the current working directory
	dev - numeric, in path records, major and minor for device
	dev - in avc records, device name as found in /dev
	egid - numeric, effective group id
	euid - numeric, effective user id
	exe - path name, executable name
	exit - numeric, syscall exit code
	file - file name
	flags - numeric, file system namei flags
	format - alphanumeric, audit log's format
	fsgid - numeric, file system group id
	fsuid - numeric, file system user id
	gid - numeric, group id
	hostname - alphanumeric, the hostname that the user is connecting from
	id - numeric, during account changes, the user id of the account
	inode - numeric, inode number
	inode_gid - numeric, group id of the inode's owner
	inode_uid - numeric, user id of the inode's owner
	item - numeric, which item is being recorded
	items - numeric, the number of path records in the event
	list - numeric, the audit system's filter list number
	mode - numeric, mode flags on a file
	msg - alphanumeric, the payload of the audit record
	nargs - numeric, the number of arguments to a socket call
	name - file name in avcs
	obj - alphanumeric, lspp object context string
	ogid - numeric, object owner's group id
	old - numeric, old audit_enabled, audit_backlog, or audit_failure value
	old_prom - numeric, network promiscuity flag
	op - alphanumeric, the operation being performed that is audited
	ouid - numeric, object owner's user id
	parent - numeric, the inode number of the parent file
	path - file system path name
	perm - numeric, the file permission being used
	perm_mask - numeric, file permission audit mask that triggered a watch event
	pid - numeric, process id
	prom - numeric, network promiscuity flag
	qbytes - numeric, ipc objects quantity of bytes
	range - alphanumeric, user's SE Linux range
	rdev - numeric, the device identifier (special files only)
	res - alphanumeric, result of the audited operation (success/fail)
	result - alphanumeric, result of the audited operation (success/fail)
	role - alphanumeric, user's SE linux role
	saddr - alphanumeric, socket address
        sauid - numeric, sending login user id
	scontext - alphanumeric, the subject's context string
	seuser - alphanumeric, user's SE Linux user acct
	sgid - numeric, set group id
	spid - numeric, sending process id
	subj- alphanumeric, lspp subject's context string
	success - alphanumeric, whether the syscall was successful or not
        suid - numeric, sending user id
	syscall - numeric, the syscall number in effect when the event occurred
	tclass - alphanumeric, target's object classification
	tcontext - alphanumeric, the target's or object's context string
	terminal - alphanumeric, terminal name the user is running programs on
	tty - alphanumeric, tty interface that the user is running programs on
	type - alphanumeric, the audit record's type
	uid - numeric, user id
	user - alphanumeric, account the user claims to be prior to authentication
	ver - numeric, audit daemon's version number
	watch - the file name in a watch record

auparse_state_t - is an opaque data type used for maintaining library state.
