Bug 226780

Summary: LSPP: audit of writes to files of bin_t produces no records
Product: Red Hat Enterprise Linux 5 Reporter: Steve Grubb <sgrubb>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED ERRATA QA Contact: Brian Brock <bbrock>
Severity: medium Docs Contact:
Priority: medium    
Version: 5.0   
Target Milestone: ---   
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: RHBA-2007-0602 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2007-11-07 17:02:35 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 224041    

Description Steve Grubb 2007-02-01 15:51:11 UTC 
Description of problem:
auditing writes to files of label bin_t do not seem to produce any records. (I
do not think its limited to bin_t, that's just the test case.)

Version-Release number of selected component (if applicable):
2.6.18-6el5

How reproducible:
always

Steps to Reproduce:
[root ~]# cp /bin/bash /bin/aubash
[root ~]# ls -Z /bin/aubash
-rwxr-xr-x  root root user_u:object_r:bin_t            /bin/aubash
[root ~]# auditctl -a exit,always -F perm=w -F obj_type=bin_t -F key=executable
[root ~]# echo "test" > /bin/aubash
[root ~]# cat /bin/aubash
test
[root ~]# ausearch --start recent -k executable
<no matches>

Expected results:
ausearch to have found a record.
Comment 1 Alexander Viro 2007-02-05 15:36:54 UTC 
OK, so far it looks like kernel gets empty permissions mask (instead
of -w-).  Either auditctl or kernel-side code that decodes userland
rule...
Comment 2 Steve Grubb 2007-02-05 17:56:27 UTC 
This problem was a missing case statement in libaudit...reassigning bug.
Comment 3 Irina Boverman 2007-02-14 21:13:19 UTC 
per 2/12 discussion, patch has been isolated, Steve will build new audit package
to test it.
Comment 5 Steve Grubb 2007-03-07 00:22:03 UTC 
audit package 1.3.1-2 was built to solve this problem.
Comment 9 errata-xmlrpc 2007-11-07 17:02:35 UTC 
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0602.html