Bug 130266 - audit module has problem executing filter rules for symlink syscall
audit module has problem executing filter rules for symlink syscall
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 3
Classification: Red Hat
Component: kernel (Show other bugs)
3.0
i686 Linux
medium Severity medium
: ---
: ---
Assigned To: Peter Martuccelli
Brian Brock
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2004-08-18 11:59 EDT by Stephanie Lockwood-Childs
Modified: 2007-11-30 17:07 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-12-20 15:55:56 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
patch to allow filtering audit events based on file attributes of 1st argument to symlink (467 bytes, patch)
2004-08-18 12:02 EDT, Stephanie Lockwood-Childs
no flags Details | Diff
patch to allow filtering audit events based on file attributes of 1st argument to symlink (467 bytes, patch)
2004-08-18 12:02 EDT, Stephanie Lockwood-Childs
no flags Details | Diff

  None (edit)
Description Stephanie Lockwood-Childs 2004-08-18 11:59:47 EDT
From Bugzilla Helper:
User-Agent: Mozilla/4.0 (compatible; MSIE 6.0; Windows NT 5.0; 
T312461; LM-MS; .NET CLR 1.0.3705; .NET CLR 1.1.4322)

Description of problem:
When I create auditing rules in /etc/audit/filter.conf that enable 
auditing for the symlink syscall, I am unable to base the decision on 
the file attributes of the first argument, e.g.

# does NOT work
syscall symlink = is-system-file(arg0);

Instead of logging attempts to create a link based on the attributes 
of the file being linked to, the kernel generates error messages

"Filter target 0x0 not known or not supported in this context"



Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Put the above rule in /etc/audit/filter.conf
2. /etc/init.d/audit restart
3. Create a soft link
    

Actual Results:  the kernel generates an error message
"Filter target 0x0 not known or not supported in this context"
for each attempt to create a soft link

Expected Results:  audit records should be generated when a soft link 
is made to a system file, and nothing should happen when a soft link 
is made to a non-system file

Additional info:

The cause of this problem is in the description of the symlink 
syscall in drivers/audit/syscall.c, which specifies the first arg as 
type string even though it is really a path. The fix is a one-liner 
patch, which I will attach.
Comment 1 Stephanie Lockwood-Childs 2004-08-18 12:02:07 EDT
Created attachment 102846 [details]
patch to allow filtering audit events based on file attributes of 1st argument to symlink
Comment 2 Stephanie Lockwood-Childs 2004-08-18 12:02:14 EDT
Created attachment 102847 [details]
patch to allow filtering audit events based on file attributes of 1st argument to symlink
Comment 3 Stephanie Lockwood-Childs 2004-08-18 12:12:52 EDT
Comment on attachment 102846 [details]
patch to allow filtering audit events based on file attributes of 1st argument to symlink

browser somehow submitted patch twice, sorry
Comment 4 Stephanie Lockwood-Childs 2004-08-18 12:23:59 EDT
should be "target 0x203", not "target 0x0" in the error message, I 
copied in the wrong message from my syslog (unrelated problem with 
auditing pread syscall)
Comment 5 Ernie Petrides 2004-09-21 02:13:47 EDT
A fix for this problem has just been committed to the RHEL3 U4
patch pool this evening (in kernel version 2.4.21-20.9.EL).
Comment 6 John Flanagan 2004-12-20 15:55:56 EST
An errata has been issued which should help the problem 
described in this bug report. This report is therefore being 
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files, 
please follow the link below. You may reopen this bug report 
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2004-550.html

Note You need to log in before you can comment on or make changes to this bug.