Bug 165611 - initscript shutdown, hwclock, and auditing
initscript shutdown, hwclock, and auditing
Product: Fedora
Classification: Fedora
Component: initscripts (Show other bugs)
All Linux
medium Severity medium
: ---
: ---
Assigned To: Bill Nottingham
Brock Organ
: 210929 251213 (view as bug list)
Depends On:
Blocks: FC5Target
  Show dependency treegraph
Reported: 2005-08-10 15:49 EDT by Steve Grubb
Modified: 2014-03-16 22:55 EDT (History)
5 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2005-10-17 14:55:28 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)

  None (edit)
Description Steve Grubb 2005-08-10 15:49:00 EDT
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc3 Firefox/1.0.6

Description of problem:
With the current version of util-linux, audit, kernel, and initscripts a message is hitting the console with audit information. hwclock was patched to send an audit event as any changes to it are part of CC security targets. 

However, the audit daemon has already exited by the time hwclock sync is done during shutdown or reboot. The hwclock sync really needs to be done earlier so that it gets recorded by the audit daemon...and as a side effect...stops annoying users. I don't think it makes a big difference if the hwclock sync happens earlier does it?

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. make sure current audit, kernel, util-linux, and initscripts are installed
2. shutdown computer
3. watch console for audit event related to hwclock

Actual Results:  msg=audit(1123702797.998:1420642): user pid=4440 uid=0 auid=0 msg='hwclock: op=changing system time id=0 res=success'

Expected Results:  no messages

Additional info:
Comment 1 Bill Nottingham 2005-08-19 03:19:34 EDT
How can we be sure that more of these won't come later?

Is it possible for the audit system to disable printing to console on exit?
Comment 2 Steve Grubb 2005-08-19 07:55:24 EDT
The issue is that changes to the hardware clock is an auditable event in CAPP
and LSPP. We are missing that event because the clock sync occurs after the
audit daemon has been terminated. There may be other audit messages that hit the
screen on shutdown, but they probably aren't in the security target like hwclock

The audit daemon could do something with dmesg to quieten messages that hit the
screen, but something important not related to auditing might get suppressed.
Comment 3 Bill Nottingham 2005-10-03 17:27:32 EDT
The problem is that creating a separate script *just* for syncing the clock is
certainly way too much overkill; realistically, it's at the proper place now.
Comment 4 Steve Grubb 2005-10-03 17:42:12 EDT
I was thinking this is just re-ordering what is in /etc/rc.d/init.d/halt. That's

The reason that this needs to be done is not because of getting rid of messages
to the console (although people would like that), its about getting the sync
done while the audit damon is alive so that the event is properly recorded. All
changes to hwclock is an auditable event in CAPP security targets.

I have been considering adding this to U3 proposed since its a hole in auditing
right now.
Comment 5 Bill Nottingham 2005-10-03 17:55:14 EDT
Just moving it? You're implying that audit doesn't die when you shut down the
service, only when the killall command in halt is run?
Comment 6 Steve Grubb 2005-10-15 08:44:10 EDT
I spoke with Klaus of atsec about this bug report. He said that if we have not
wrote any code at this point, not to worry about it. He feels this is in the
nice to have category and can be explained away in Security Targets. So...if no
code has been written, this bug report can be closed.
Comment 7 Bill Nottingham 2005-10-17 14:55:28 EDT
Hasn't been changed yet, so closing.
Comment 8 Bill Nottingham 2006-10-16 13:28:27 EDT
*** Bug 210929 has been marked as a duplicate of this bug. ***
Comment 9 Need Real Name 2006-10-16 15:04:36 EDT
Well it's nice that it's closed, but it looks like something is going wrong,
which is why I files bug 210929.

The Fedora wiki states that all AVC messages for software installed by default
are blockers, so I find it odd that this gets swept under the carpet.
Comment 10 Bill Nottingham 2007-08-07 15:49:53 EDT
*** Bug 251213 has been marked as a duplicate of this bug. ***
Comment 11 Martin Jürgens 2007-08-07 16:17:18 EDT
I have the same opinion as lsof. It should be fixed as stated in the wiki.  And
more than 2 years to fix a "nice to have" bug in that all users run when
shutting down their system are a lot, honestly.

Note You need to log in before you can comment on or make changes to this bug.