Handle mount events/log entries without class
audit.log entries for mount events don't always include class=mount
,
but can still be the base for mount rules.
Change logparser.py to also consider operation=mount
as a mount event.
Actually we already had such a log and profile in our collection (testcase_mount_01), but since it existed years before MountRule was implemented, it was excluded in test-libapparmor-test_multi.py. Therefore we didn't notice that it failed to produce a profile rule when MountRule was introduced.
Remove testcase_mount_01 from the list of known failures so that it gets tested - and fix the syntax error in the hand-written testcase_mount_01.profile.
Also add testcase_mount_02 which is a mount event without fstype, srcname and class.
I propose this fix for 4.0 and master.