Bug 1344268

Summary:	autrace destroys all audit rules, despite what manpage says
Product:	[Fedora] Fedora	Reporter:	Dario Maiocchi <dmaiocchi>
Component:	audit	Assignee:	Steve Grubb <sgrubb>
Status:	CLOSED ERRATA	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	medium	Docs Contact:
Priority:	unspecified
Version:	rawhide	CC:	sgrubb
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	All
OS:	Linux
Whiteboard:
Fixed In Version:	audit-2.6-3.fc24 audit-2.6.2-1.fc24	Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-07-03 12:22:47 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Dario Maiocchi 2016-06-09 09:52:28 UTC

Description of problem:

from autrace manpage: 
 As a safety precaution, it will not run unless
       all rules are deleted with auditctl prior to use.

Version-Release number of selected component (if applicable):

audit 2.5.1 1fc23

Fedora 23 Server Edition

How reproducible: always

Steps to Reproduce: [as root]
1.auditctl -w /etc/shadow
2. auditctl -l

-w /etc/shadow -p rwxa

3. autrace /bin/ls /tmp

Actual results:i

Waiting to execute: /bin/ls
Cleaning up...
Trace complete. You can locate the records with 'ausearch -i -p 31229'

auditctl -l
No rules


Expected results:

root@host:~# autrace /bin/ls /tmp
autrace cannot be run with rules loaded.
Please delete all rules using ‘auditctl -D’ if you really wanted to
run this command.


http://linux-audit.com/configuring-and-auditing-linux-systems-with-audit-daemon/

Comment 1 Steve Grubb 2016-06-09 13:50:08 UTC

Hi,

Autrace is supposed to run only when the rule count is 0.

https://fedorahosted.org/audit/browser/trunk/src/autrace.c#L190

Looking through the code, the only way that I can see this happening is if no rules get listed and the koop times out. It works fine on my system. Is there any chance you can put a few printfs in the count_em() function to see what is going wrong?

In the mean time, I'll update the code so that a loop timeout cannot return 0.

Comment 2 Steve Grubb 2016-06-09 13:58:24 UTC

Loop timeout fixup is svn commit 1258.

Comment 3 Fedora Update System 2016-06-22 22:11:18 UTC

audit-2.6-3.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-4f6589e252

Comment 4 Fedora Update System 2016-06-22 22:11:30 UTC

audit-2.6-3.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-122f332493

Comment 5 Fedora Update System 2016-06-23 18:56:49 UTC

audit-2.6-3.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-122f332493

Comment 6 Fedora Update System 2016-06-23 19:26:01 UTC

audit-2.6-3.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-4f6589e252

Comment 7 Fedora Update System 2016-06-24 18:53:05 UTC

audit-2.6-3.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.

Comment 8 Fedora Update System 2016-06-29 02:03:31 UTC

audit-2.6.1-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-20e8af4a21

Comment 9 Fedora Update System 2016-06-29 18:26:38 UTC

audit-2.6.1-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-20e8af4a21

Comment 10 Fedora Update System 2016-07-01 16:20:45 UTC

audit-2.6.2-1.fc23 has been submitted as an update to Fedora 23. https://bodhi.fedoraproject.org/updates/FEDORA-2016-bf659f2cf3

Comment 11 Fedora Update System 2016-07-01 16:21:04 UTC

audit-2.6.2-1.fc24 has been submitted as an update to Fedora 24. https://bodhi.fedoraproject.org/updates/FEDORA-2016-afa82d90dd

Comment 12 Fedora Update System 2016-07-02 20:29:17 UTC

audit-2.6.2-1.fc24 has been pushed to the Fedora 24 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-afa82d90dd

Comment 13 Fedora Update System 2016-07-02 20:54:12 UTC

audit-2.6.2-1.fc23 has been pushed to the Fedora 23 testing repository. If problems still persist, please make note of it in this bug report.
See https://fedoraproject.org/wiki/QA:Updates_Testing for
instructions on how to install test updates.
You can provide feedback for this update here: https://bodhi.fedoraproject.org/updates/FEDORA-2016-bf659f2cf3

Comment 14 Fedora Update System 2016-07-03 12:22:36 UTC

audit-2.6.2-1.fc24 has been pushed to the Fedora 24 stable repository. If problems still persist, please make note of it in this bug report.