Bug 2231089

Summary: ausearch prints a misleading error message when using "--input <file>"
Product: Red Hat Enterprise Linux 9 Reporter: Renaud Métrich <rmetrich>
Component: auditAssignee: Sergio Correia <scorreia>
Status: NEW --- QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: low Docs Contact:
Priority: low    
Version: 9.2CC: alakatos, rblakley, sgrubb
Target Milestone: rcKeywords: Triaged
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Renaud Métrich 2023-08-10 14:30:42 UTC 
This bug was initially created as a copy of Bug #2231088

I am copying this bug because: 

Also happens on RHEL9 (audit-3.0.7-103.el9.x86_64)

Description of problem:

When processing a file using "ausearch --input <file>" as non-root user, the following gets printed:
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------
$ ausearch --input /tmp/audit.log --just-one
Error opening config file (Permission denied)
NOTE - using built-in logs: /var/log/audit/audit.log
----
time->Wed Aug  9 13:55:01 2023
type=USER_ACCT msg=audit(1691582101.695:13926): pid=341128 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:crond_t:s0-s0:c0.c1023 msg='op=PAM:accounting grantors=pam_access,pam_unix,pam_sss,pam_permit acct="rmetrich" exe="/usr/sbin/crond" hostname=? addr=? terminal=cron res=success'
-------- 8< ---------------- 8< ---------------- 8< ---------------- 8< --------

Internally strace shows ausearch tries to open /etc/audit/auditd.conf, but of course that's not possible.
Still the file gets processed properly, the message is just annoying and misleading.

Version-Release number of selected component (if applicable):

audit-3.1.1-1.fc38.x86_64

How reproducible:

Always, just open an audit log with proper permissions as a user