sealert advice is useless if AVC contains command in hexadecimal form

[milosmalik]

If an AVC was caused by a program which contains a space in its name then sealert advice is useless, because the ausearch command shown in the advice does not find any AVC.

# sealert -l '*'
SELinux is preventing 70617373776420636F7079 from write access on the file /root/output.txt.

*****  Plugin catchall (100. confidence) suggests   **************************

If you believe that 70617373776420636F7079 should be allowed write access on the output.txt file by default.
Then you should report this as a bug.
You can generate a local policy module to allow this access.
Do
allow this access for now by executing:
# ausearch -c '70617373776420636F7079' --raw | audit2allow -M my-70617373776420636F7079
# semodule -i my-70617373776420636F7079.pp

Additional Information:
Source Context                unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023
Target Context                unconfined_u:object_r:admin_home_t:s0
Target Objects                /root/output.txt [ file ]
Source                        70617373776420636F7079
Source Path                   70617373776420636F7079
Port                          <Unknown>
Host                          pegas74
Source RPM Packages           
Target RPM Packages           
Policy RPM                    selinux-policy-3.13.1-166.el7.noarch
Selinux Enabled               True
Policy Type                   targeted
Enforcing Mode                Enforcing
Host Name                     pegas74
Platform                      Linux pegas74 4.11.0-10.el7a.x86_64 #1 SMP Wed Jun
                              21 20:48:03 EDT 2017 x86_64 x86_64
Alert Count                   1
First Seen                    2017-08-01 14:53:45 CEST
Last Seen                     2017-08-01 14:53:45 CEST
Local ID                      ca462753-5b11-49c1-95b2-27535a70787c

Raw Audit Messages
type=AVC msg=audit(1501592025.717:740): avc:  denied  { write } for  pid=30473 comm=70617373776420636F7079 path="/root/output.txt" dev="vda2" ino=17383520 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0

Hash: 70617373776420636F7079,passwd_t,admin_home_t,file,write
# ausearch -c '70617373776420636F7079' --raw
# echo $?
1
#

If we use the decoded form of the command name then ausearch works as expected and the generated AVC is found.

# ls -Z /usr/bin/passwd*
-rwsr-xr-x. root root system_u:object_r:passwd_exec_t:s0 /usr/bin/passwd
-rwsr-xr-x. root root system_u:object_r:passwd_exec_t:s0 /usr/bin/passwd copy
# /usr/bin/passwd\ copy --help >& /root/output.txt
# ausearch -c 'passwd copy' --raw
type=AVC msg=audit(1501592025.717:740): avc:  denied  { write } for  pid=30473 comm=70617373776420636F7079 path="/root/output.txt" dev="vda2" ino=17383520 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=AVC msg=audit(1501592025.717:740): avc:  denied  { write } for  pid=30473 comm=70617373776420636F7079 path="/root/output.txt" dev="vda2" ino=17383520 scontext=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:admin_home_t:s0 tclass=file permissive=0
type=SYSCALL msg=audit(1501592025.717:740): arch=c000003e syscall=59 success=yes exit=0 a0=2838800 a1=283cad0 a2=2832be0 a3=7ffd0d95bcb0 items=2 ppid=1392 pid=30473 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 ses=1 comm=70617373776420636F7079 exe=2F7573722F62696E2F70617373776420636F7079 subj=unconfined_u:unconfined_r:passwd_t:s0-s0:c0.c1023 key=(null)
type=EXECVE msg=audit(1501592025.717:740): argc=2 a0=2F7573722F62696E2F70617373776420636F7079 a1="--help"
type=CWD msg=audit(1501592025.717:740): cwd="/root"
type=PATH msg=audit(1501592025.717:740): item=0 name=2F7573722F62696E2F70617373776420636F7079 inode=25461842 dev=fd:02 mode=0104755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:passwd_exec_t:s0 nametype=NORMAL
type=PATH msg=audit(1501592025.717:740): item=1 name="/lib64/ld-linux-x86-64.so.2" inode=43342 dev=fd:02 mode=0100755 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:ld_so_t:s0 nametype=NORMAL
type=PROCTITLE msg=audit(1501592025.717:740): proctitle=2F7573722F62696E2F70617373776420636F7079002D2D68656C70
#