Bug 1256950

Summary: BUG: audit subsystem adds BPRM_FCAPS record on setuid execution
Product: [Fedora] Fedora Reporter: Steve Grubb <sgrubb>
Component: kernelAssignee: Paul Moore <pmoore>
Status: CLOSED DEFERRED QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: rawhideCC: gansalmon, itamar, jonathan, kernel-maint, madhu.chinakonda, mchehab, rbriggs
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2016-06-02 20:14:32 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Steve Grubb 2015-08-25 20:29:59 UTC
Description of problem:
The audit subsystem is adding a BPRM_FCAPS record when auditing setuid application execution. This is not expected as it was supposed to be limited to when the file system actually had capabilities in an extended attribute.

Version-Release number of selected component (if applicable):
4.1.5-200.fc22.x86_64

Steps to Reproduce:
1. auditctl -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=setuid-exec
2. su - root
3. ausearch --start recent -k setuid-exec -i

Actual results:
It lists all capabilities making the event really ugly to parse what is happening.

Expected results:
No BPRM_FCAPS record. The PATH record correctly records the setuid bit and owner.

Comment 1 Justin M. Forbes 2015-10-20 19:20:59 UTC
*********** MASS BUG UPDATE **************

We apologize for the inconvenience.  There is a large number of bugs to go through and several of them have gone stale.  Due to this, we are doing a mass bug update across all of the Fedora 22 kernel bugs.

Fedora 22 has now been rebased to 4.2.3-200.fc22.  Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel.

If you have moved on to Fedora 23, and are still experiencing this issue, please change the version to Fedora 23.

If you experience different issues, please open a new bug report for those.

Comment 2 Paul Moore 2015-10-20 21:35:05 UTC
Moving to Rawhide to avoid Fedora MASS BUG UPDATEs.

Comment 3 Paul Moore 2016-06-02 20:14:32 UTC
Marking this as CLOSED/DEFERRED as we are tracking this upstream bugs on GitHub.

* https://github.com/linux-audit/audit-kernel/issues/16