Red Hat Bugzilla – Bug 1256950
BUG: audit subsystem adds BPRM_FCAPS record on setuid execution
Last modified: 2016-06-02 16:14:32 EDT
Description of problem: The audit subsystem is adding a BPRM_FCAPS record when auditing setuid application execution. This is not expected as it was supposed to be limited to when the file system actually had capabilities in an extended attribute. Version-Release number of selected component (if applicable): 4.1.5-200.fc22.x86_64 Steps to Reproduce: 1. auditctl -a always,exit -F arch=b64 -S execve -C uid!=euid -F euid=0 -F key=setuid-exec 2. su - root 3. ausearch --start recent -k setuid-exec -i Actual results: It lists all capabilities making the event really ugly to parse what is happening. Expected results: No BPRM_FCAPS record. The PATH record correctly records the setuid bit and owner.
*********** MASS BUG UPDATE ************** We apologize for the inconvenience. There is a large number of bugs to go through and several of them have gone stale. Due to this, we are doing a mass bug update across all of the Fedora 22 kernel bugs. Fedora 22 has now been rebased to 4.2.3-200.fc22. Please test this kernel update (or newer) and let us know if you issue has been resolved or if it is still present with the newer kernel. If you have moved on to Fedora 23, and are still experiencing this issue, please change the version to Fedora 23. If you experience different issues, please open a new bug report for those.
Moving to Rawhide to avoid Fedora MASS BUG UPDATEs.
Marking this as CLOSED/DEFERRED as we are tracking this upstream bugs on GitHub. * https://github.com/linux-audit/audit-kernel/issues/16