Bug 2075509

Summary:	/usr/share/audit/sample-rules/*.rules are not architecture-independent
Product:	Red Hat Enterprise Linux 9	Reporter:	Jan Pazdziora (Red Hat) <jpazdziora>
Component:	audit	Assignee:	Sergio Correia <scorreia>
Status:	CLOSED MIGRATED	QA Contact:	BaseOS QE Security Team <qe-baseos-security>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	9.0	CC:	rsroka, sgrubb
Target Milestone:	rc	Keywords:	MigratedToJIRA, Triaged
Target Release:	---	Flags:	pm-rhel: mirror+
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	If docs needed, set a value
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2023-09-19 17:37:04 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:
Embargoed:

Description Jan Pazdziora (Red Hat) 2022-04-14 11:59:00 UTC

Description of problem:

The content of /usr/share/audit/sample-rules/ was made architecture-dependent, to address bug 1985630.

However, that means the content that the audit package puts to /usr/share breks the Filesystem Hierarchy Standard (FHS) expectation that /usr/share should have architecture-independent (shared) data. 

Version-Release number of selected component (if applicable):

audit-3.0.7-101.el9_0.2

How reproducible:

Deterministic.

Steps to Reproduce:
1. Check /usr/share/audit/sample-rules/ on different architectures with sha256sum.

Actual results:

5fc54d4981a480e15bc6e1f7e703eeca446cc5b95cc424459c24c40013020d1d  /usr/share/audit/sample-rules/71-networking.rules on x86_64 and aarch64,
a74a05c373c26270bafb0569ed86e5f4574c343fbdf8aab0007560450213d4ba  /usr/share/audit/sample-rules/71-networking.rules on s390x.

a365d53d473232db15518cb163ef2828b13637aac9ffb00a6ea636677fc5f758  /usr/share/audit/sample-rules/30-nispom.rules
7bc05cbcfde0664abc759bad2fa8577681007d1db77b0bf5a562b1d52f8b0c79  /usr/share/audit/sample-rules/30-ospp-v42-1-create-failed.rules
c97448ae2dcdbedb4c50464bfcec2a56886314d1ba8ee002f6bf63ec093b1b6b  /usr/share/audit/sample-rules/30-ospp-v42-1-create-success.rules
dc6f182ce7a0195e63f1ce60e0812c601e38de022fb8baf03ad6560e78fd73ca  /usr/share/audit/sample-rules/30-ospp-v42-2-modify-failed.rules
caeb9a7f4bb77ab89027f11789e02eb6e9b4f2fc4346eeaea25efe1730d83fe6  /usr/share/audit/sample-rules/30-ospp-v42-2-modify-success.rules
74aa84e36882dd5f1bc4f1953b938fc6425a00d28d0c36232b16a5aeadc7b413  /usr/share/audit/sample-rules/30-ospp-v42-3-access-failed.rules
24bb7aca08d354ddffd8d0addbbd4444a1a86a9766d89abceef22e753171eacd  /usr/share/audit/sample-rules/30-ospp-v42-3-access-success.rules
1eb6a682e840cb04f611ab5f768b65d1f41c898e11ad3c6d0545d03562c03ad0  /usr/share/audit/sample-rules/30-ospp-v42-4-delete-failed.rules
2c4e9dbd58405bc275e7e187d6ec2eb9436aa54073f557b83ef6e4a06a55fc53  /usr/share/audit/sample-rules/30-ospp-v42-4-delete-success.rules
on x86_64 and s390x

293f22a6f9babf77aea552d69ced14ca82cf94984de10c9fafcca6674c99d499  /usr/share/audit/sample-rules/30-nispom.rules
f816faee268ae1c0f25d547f903182b1f6ed0bbb005bb77091617bc9d9e8e02f  /usr/share/audit/sample-rules/30-ospp-v42-1-create-failed.rules
58e45a5de54a58b4fb640a38643990523f815954fe30634184d388f7dc14e1ce  /usr/share/audit/sample-rules/30-ospp-v42-1-create-success.rules
00ddbe6c8bf04b5a4d334f66f71a64ba556ce0811f36f5382e89d4ad58c64530  /usr/share/audit/sample-rules/30-ospp-v42-2-modify-failed.rules
2628f73a77fa71ad0aba5cdd01fef63ba9b7cb08f4799bf017627cf84115cc4f  /usr/share/audit/sample-rules/30-ospp-v42-2-modify-success.rules
36685ba35d5402c40633de08f7445134419be60875e68b1d869cb7f3f4153d21  /usr/share/audit/sample-rules/30-ospp-v42-3-access-failed.rules
22d01156457138c1a4d1e57d3e167109a7e410ba4ae1a7a6633a02a94f1c37e8  /usr/share/audit/sample-rules/30-ospp-v42-3-access-success.rules
52b9839c59728a644541cf2a09265e4e094fe6df2cac550fddd6c99085e75fbe  /usr/share/audit/sample-rules/30-ospp-v42-4-delete-failed.rules
846c5dcc432d839cdc58e2ec5eb2553967d5b1cc464533f4f1aafad80c2c337a  /usr/share/audit/sample-rules/30-ospp-v42-4-delete-success.rules
on aarch64

Expected results:

The files should not differ ... so if the rules have to differ, they likely need to live somewhere else.

Additional info:

The /usr/share/audit/sample-rules location should likely be preserved, possibly as symlink, because many tools and processes expect it by now.

Comment 3 RHEL Program Management 2023-09-19 17:32:02 UTC

Issue migration from Bugzilla to Jira is in process at this time. This will be the last message in Jira copied from the Bugzilla bug.

Comment 4 RHEL Program Management 2023-09-19 17:37:04 UTC

This BZ has been automatically migrated to the issues.redhat.com Red Hat Issue Tracker. All future work related to this report will be managed there.

Due to differences in account names between systems, some fields were not replicated.  Be sure to add yourself to Jira issue's "Watchers" field to continue receiving updates and add others to the "Need Info From" field to continue requesting information.

To find the migrated issue, look in the "Links" section for a direct link to the new issue location. The issue key will have an icon of 2 footprints next to it, and begin with "RHEL-" followed by an integer.  You can also find this issue by visiting https://issues.redhat.com/issues/?jql= and searching the "Bugzilla Bug" field for this BZ's number, e.g. a search like:

"Bugzilla Bug" = 1234567

In the event you have trouble locating or viewing this issue, you can file an issue by sending mail to rh-issues. You can also visit https://access.redhat.com/articles/7032570 for general account information.