Bug 1662516

Summary: Problem with script 31-privileged.rules
Product: [Fedora] Fedora Reporter: Alexander W. Janssen <alexander.janssen>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 29CC: alexander.janssen, sgrubb
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2019-01-03 16:22:42 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Attachments:
Description Flags
Patch to fix 31-privileged.rules none

Description Alexander W. Janssen 2018-12-29 06:59:24 UTC 
Created attachment 1517324 [details]
Patch to fix 31-privileged.rules

Description of problem:
The provided script /usr/share/doc/audit/rules/31-privileged.rules which is used to generate system-specific rules contains errors while awk is generating a rule by parsing the output of filecap.


Version-Release number of selected component (if applicable):
audit-3.0-0.5.20181218gitbdb72c0.fc29.x86_64

How reproducible:
Always

Steps to Reproduce:
1. Pick on of the filecap commands from 31-privileged.rules and run
2. Observe that -F path=$x is not the path, but the string "effective"/"permitted" (etc)

Actual results:
The following example statement is being used, resulting in an invalid audit rule:
# filecap /usr/bin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' | head -1
-a always,exit -F path=effective -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Expected results:
# filecap /usr/bin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' | head -1
-a always,exit -F path=/usr/bin/dumpcap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Additional info:
The provided mini-patch, which simply replaces $1 by $2 for all filecap-calls fixes the problem.
Comment 1 Steve Grubb 2018-12-31 20:04:05 UTC 
Thanks for pointing this out. Fix in upstream commit 7c03224.
Comment 2 Steve Grubb 2019-01-03 16:22:42 UTC 
I am going to close this bz report. Thanks for pointing out the problem. A fix will be in the next release. If you see any other problems, please let me know.