From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.10) Gecko/20050720 Fedora/1.0.6-1.1.fc3 Firefox/1.0.6 Description of problem: With the current version of util-linux, audit, kernel, and initscripts a message is hitting the console with audit information. hwclock was patched to send an audit event as any changes to it are part of CC security targets. However, the audit daemon has already exited by the time hwclock sync is done during shutdown or reboot. The hwclock sync really needs to be done earlier so that it gets recorded by the audit daemon...and as a side effect...stops annoying users. I don't think it makes a big difference if the hwclock sync happens earlier does it? Version-Release number of selected component (if applicable): initscripts-8.11.1-1 How reproducible: Always Steps to Reproduce: 1. make sure current audit, kernel, util-linux, and initscripts are installed 2. shutdown computer 3. watch console for audit event related to hwclock Actual Results: msg=audit(1123702797.998:1420642): user pid=4440 uid=0 auid=0 msg='hwclock: op=changing system time id=0 res=success' Expected Results: no messages Additional info:
How can we be sure that more of these won't come later? Is it possible for the audit system to disable printing to console on exit?
The issue is that changes to the hardware clock is an auditable event in CAPP and LSPP. We are missing that event because the clock sync occurs after the audit daemon has been terminated. There may be other audit messages that hit the screen on shutdown, but they probably aren't in the security target like hwclock adjustment. The audit daemon could do something with dmesg to quieten messages that hit the screen, but something important not related to auditing might get suppressed.
The problem is that creating a separate script *just* for syncing the clock is certainly way too much overkill; realistically, it's at the proper place now.
I was thinking this is just re-ordering what is in /etc/rc.d/init.d/halt. That's all. The reason that this needs to be done is not because of getting rid of messages to the console (although people would like that), its about getting the sync done while the audit damon is alive so that the event is properly recorded. All changes to hwclock is an auditable event in CAPP security targets. I have been considering adding this to U3 proposed since its a hole in auditing right now.
Just moving it? You're implying that audit doesn't die when you shut down the service, only when the killall command in halt is run?
I spoke with Klaus of atsec about this bug report. He said that if we have not wrote any code at this point, not to worry about it. He feels this is in the nice to have category and can be explained away in Security Targets. So...if no code has been written, this bug report can be closed.
Hasn't been changed yet, so closing.
*** Bug 210929 has been marked as a duplicate of this bug. ***
Well it's nice that it's closed, but it looks like something is going wrong, which is why I files bug 210929. The Fedora wiki states that all AVC messages for software installed by default are blockers, so I find it odd that this gets swept under the carpet.
*** Bug 251213 has been marked as a duplicate of this bug. ***
I have the same opinion as lsof. It should be fixed as stated in the wiki. And more than 2 years to fix a "nice to have" bug in that all users run when shutting down their system are a lot, honestly.