Bug 228384
Summary: | LSPP: audit does not log obj label for traced process | ||
---|---|---|---|
Product: | Red Hat Enterprise Linux 5 | Reporter: | Amy Griffis <amy.griffis> |
Component: | kernel | Assignee: | Eric Paris <eparis> |
Status: | CLOSED ERRATA | QA Contact: | Brian Brock <bbrock> |
Severity: | medium | Docs Contact: | |
Priority: | medium | ||
Version: | 5.0 | CC: | iboverma, klaus, krisw, linda.knippers, sgrubb |
Target Milestone: | --- | Keywords: | OtherQA |
Target Release: | --- | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | |||
Fixed In Version: | RHBA-2007-0602 | Doc Type: | Bug Fix |
Doc Text: | Story Points: | --- | |
Clone Of: | Environment: | ||
Last Closed: | 2007-11-07 17:02:44 UTC | Type: | --- |
Regression: | --- | Mount Type: | --- |
Documentation: | --- | CRM: | |
Verified Versions: | Category: | --- | |
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
Cloudforms Team: | --- | Target Upstream Version: | |
Embargoed: | |||
Bug Depends On: | |||
Bug Blocks: | 224041 |
Description
Amy Griffis
2007-02-12 20:26:25 UTC
per 2/12 discussion, can we get Al Viro to help with this bug? Untested patch posted to linux-audit on March 5. Will review and get into a kernel as soon as possivle This request was evaluated by Red Hat Kernel Team for inclusion in a Red Hat Enterprise Linux maintenance release, and has moved to bugzilla status POST. I verified Al's patch in the lspp.68 kernel. Log output for success case: type=SYSCALL msg=audit(1173826483.702:7664): arch=c000003e syscall=101 success=yes exit=0 a0=10 a1=4c2f a2=0 a3=0 items=0 ppid=13429 pid=19506 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="do_ptrace" exe="/usr/local/eal4_testing/audit-test/utils/bin/do_ptrace" subj=staff_u:lspp_test_r:lspp_test_generic_t:s0 key=(null) type=UNKNOWN[1318] msg=audit(1173826483.702:7664): opid=19503 obj=staff_u:lspp_test_r:lspp_harness_t:s0 Log output for failure case: type=SYSCALL msg=audit(1173826511.922:7667): arch=c000003e syscall=101 success=no exit=-1 a0=10 a1=4c2f a2=0 a3=0 items=0 ppid=13429 pid=19509 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="do_ptrace" exe="/usr/local/eal4_testing/audit-test/utils/bin/do_ptrace" subj=staff_u:lspp_test_r:lspp_test_generic_t:s15:c0.c1023 key=(null) type=UNKNOWN[1318] msg=audit(1173826511.922:7667): opid=19503 obj=staff_u:lspp_test_r:lspp_harness_t:s0 The aux record type is UNKNOWN pending userspace change. in 2.6.18-27.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5 An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0602.html |