audit.spec contains things like: %attr(750,root,root) /sbin/auditctl %attr(750,root,root) /sbin/auditd %attr(750,root,root) /sbin/autrace %attr(750,root,root) /sbin/audispd %attr(750,root,root) /sbin/augenrules %attr(640,root,root) %{_unitdir}/auditd.service %attr(750,root,root) %dir %{_libexecdir}/initscripts/legacy-actions/auditd %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/resume %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/rotate %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/restart %attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/condrestart Please make all of the non-security-sensitive ones world-readable and, if applicable, world-executable. The current configuration adds no security whatsoever (anyone who cares can download those files from the original RPM), but it's annoying. (Once upon a time, it make sense to keep the prelinked versions secret. This is no longer true -- prelinking is more or less dead, having been replaced with PIE.)
The permissions are exactly what they have to be. The audit system is not like other parts of the system. It permissions are dictated by the needs for common criteria. I keep fedora and RHEL in sync so there are no surprises. I apologize if this is an inconvenience.
Do you have a reference to the relevant CC rules? A quick skim through the docs found nothing remotely relevant. (If you're right, I just lost a considerable amount of respect for CC.)