Bugzilla (bugzilla.redhat.com) will be under maintenance for infrastructure upgrades and will not be available on July 31st between 12:30 AM - 05:30 AM UTC. We appreciate your understanding and patience. You can follow status.redhat.com for details.
Bug 1662516 - Problem with script 31-privileged.rules
Summary: Problem with script 31-privileged.rules
Alias: None
Product: Fedora
Classification: Fedora
Component: audit
Version: 29
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Steve Grubb
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2018-12-29 06:59 UTC by Alexander W. Janssen
Modified: 2019-01-03 16:22 UTC (History)
2 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Last Closed: 2019-01-03 16:22:42 UTC
Type: Bug

Attachments (Terms of Use)
Patch to fix 31-privileged.rules (1.93 KB, patch)
2018-12-29 06:59 UTC, Alexander W. Janssen
no flags Details | Diff

Description Alexander W. Janssen 2018-12-29 06:59:24 UTC
Created attachment 1517324 [details]
Patch to fix 31-privileged.rules

Description of problem:
The provided script /usr/share/doc/audit/rules/31-privileged.rules which is used to generate system-specific rules contains errors while awk is generating a rule by parsing the output of filecap.

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. Pick on of the filecap commands from 31-privileged.rules and run
2. Observe that -F path=$x is not the path, but the string "effective"/"permitted" (etc)

Actual results:
The following example statement is being used, resulting in an invalid audit rule:
# filecap /usr/bin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' | head -1
-a always,exit -F path=effective -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Expected results:
# filecap /usr/bin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' | head -1
-a always,exit -F path=/usr/bin/dumpcap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged

Additional info:
The provided mini-patch, which simply replaces $1 by $2 for all filecap-calls fixes the problem.

Comment 1 Steve Grubb 2018-12-31 20:04:05 UTC
Thanks for pointing this out. Fix in upstream commit 7c03224.

Comment 2 Steve Grubb 2019-01-03 16:22:42 UTC
I am going to close this bz report. Thanks for pointing out the problem. A fix will be in the next release. If you see any other problems, please let me know.

Note You need to log in before you can comment on or make changes to this bug.