Bug 697463

Summary: Broken autrace -r on s390x
Product: Red Hat Enterprise Linux 6 Reporter: Eduard Benes <ebenes>
Component: auditAssignee: Steve Grubb <sgrubb>
Status: CLOSED ERRATA QA Contact: BaseOS QE Security Team <qe-baseos-security>
Severity: high Docs Contact:
Priority: high    
Version: 6.1   
Target Milestone: rc   
Target Release: ---   
Hardware: s390x   
OS: Linux   
Fixed In Version: audit-2.1-4.el6 Doc Type: Bug Fix
Doc Text:
previously, the "autrace -r" command on the s390x architecture attempted to audit network syscalls not available on s390x. Consequently, an error similar to the following might have been returned: Error inserting audit rule for pid=13163 With this update, "autrace -r" is now aware of system calls not available on this architecture, which resolves this issue.
Story Points: ---
Clone Of: Environment:
Last Closed: 2011-05-19 09:55:43 EDT Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On:    
Bug Blocks: 682670, 584498, 846801, 846802    
Description Flags
strace output of autrace -r /bin/ls on s390x none

Description Eduard Benes 2011-04-18 07:05:25 EDT
Created attachment 492856 [details]
strace output of autrace -r /bin/ls on s390x

Description of problem:
Autrace fails to to add audit rules to trace a process on s390 in resource usage mode when it is set to limit syscalls collected to ones needed for analysing resource usage.

Version-Release number of selected component (if applicable):
# uname -a
Linux auto-s390-002.ss.eng.bos.redhat.com 2.6.32-128.el6.s390x #1 SMP Mon Mar 28 21:58:33 EDT 2011 s390x s390x s390x GNU/Linux

How reproducible:

Steps to Reproduce:
1. # autrace -r /bin/ls
Actual results:
[root@auto-s390-002 ~]# autrace -r /bin/ls
Error inserting audit rule for pid=13163

Expected results:
Something like this
# autrace -r /bin/ls
Waiting to execute: /bin/ls
Cleaning up...
Trace complete. You can locate the records with 'ausearch -i -p 30207'

Additional info:
Works as expected without the resource usage mode 
# autrace /bin/ls /tmp
Cleaning up...
Trace complete. You can locate the records with 'ausearch -i -p 13192'
Comment 1 Steve Grubb 2011-04-18 08:14:44 EDT
Fixed upstream in this commit:
Comment 5 Steve Grubb 2011-04-20 11:01:30 EDT
audit-2.1-4.el6 was built to resolve this problem.
Comment 10 errata-xmlrpc 2011-05-19 09:55:43 EDT
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.