Bug 492166

Summary: Problem with filtering based on auid
Product: Red Hat Enterprise Linux 4 Reporter: Michal Marciniszyn <mmarcini>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED WONTFIX QA Contact: BaseOS QE <qe-baseos-auto>
Severity: urgent Docs Contact:
Priority: urgent    
Version: 4.7CC: ebenes, jwest, sgrubb, tvujec
Target Milestone: rcKeywords: ZStream
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 16:15:54 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 557032    

Description Michal Marciniszyn 2009-03-25 17:38:00 UTC 
Description of problem:
On PPC, i386 and s390 architecture, whenever an user gets auid -1 (i.e. cat /proc/self/ returns 4294967295) filtering of the syscalls based on auid=4294967295 does not work. OTOH it works with no problems on IA64, x86_64 and s390x.

Version-Release number of selected component (if applicable):
kernel-2.6.9-78.0.17.EL
audit-1.0.16-3.el4_7.1

How reproducible:
always

Steps to Reproduce:
1. Get loginuid -1 on any of those arch.
2. auditctl -d exit,always -S <syscall> -F auid=4294967295
3. use the syscall
4. check that there is the log about the syscall in the /var/log/audit/audit.log

- or -
use audit-test from kernel/security/audit, namely filter part, test process_attrs
  
Actual results:
No log about syscall whenever -F auid=4294967295 is present. Correct log message present when -F auid=4294967295 is ommited.

Expected results:
log about the syscall in /var/log/audit/audit.log

Additional info:
Whenever user has ordinary login_uid (like 0), then it works perfectly.

Log from s390 without auid in the filter:
type=SYSCALL,CWD,PATH msg=audit(1238000396.640:342): arch=80000016 syscall=5 success=yes exit=3 a0=7ffffa97 a1=8000 a2=0 a3=1 items=1 pid=23977 auid=4294967295 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 comm=cat exe=/bin/cat cwd=/mnt/testarea/tests/kernel/security/audit/audit-test/audit-test/filter/tests rdev=00:00 ouid=0 dev=fd:00 flags=101 mode=0100600 name=/tmp/tmp.pbCMb23963 ogid=0 inode=641999
Comment 1 Eric Paris 2009-03-25 19:41:41 UTC 
we are looking at it, but for now, we know you can use auid=-1 to get what you want.
Comment 2 Steve Grubb 2009-03-25 19:59:30 UTC 
The source of the problem is in libaudit.c:

@@ -641,7 +641,7 @@ int audit_rule_fieldpair(struct audit_ru
                        vlen = strlen(v);
                        if (isdigit((char)*(v)))
                                rule->values[rule->field_count] =
-                                       strtol(v, NULL, 0);
+                                       strtoul(v, NULL, 0);
                        else if (vlen >= 2 && *(v)=='-' &&
                                                (isdigit((char)*(v+1))))
                                rule->values[rule->field_count] =

Need to build a new audit package. Btw, this same patch is needed in RHEL5 and rawhide.
Comment 3 RHEL Program Management 2009-03-25 20:01:56 UTC 
Since RHEL 4.8 External Beta has begun, and this bugzilla remains 
unresolved, it has been rejected as it is not proposed as exception or 
blocker.
Comment 9 Jiri Pallich 2012-06-20 16:15:54 UTC 
Thank you for submitting this issue for consideration in Red Hat Enterprise Linux. The release for which you requested us to review is now End of Life. 
Please See https://access.redhat.com/support/policy/updates/errata/

If you would like Red Hat to re-consider your feature request for an active release, please re-open the request via appropriate support channels and provide additional supporting details about the importance of this issue.