Created attachment 1517324 [details] Patch to fix 31-privileged.rules Description of problem: The provided script /usr/share/doc/audit/rules/31-privileged.rules which is used to generate system-specific rules contains errors while awk is generating a rule by parsing the output of filecap. Version-Release number of selected component (if applicable): audit-3.0-0.5.20181218gitbdb72c0.fc29.x86_64 How reproducible: Always Steps to Reproduce: 1. Pick on of the filecap commands from 31-privileged.rules and run 2. Observe that -F path=$x is not the path, but the string "effective"/"permitted" (etc) Actual results: The following example statement is being used, resulting in an invalid audit rule: # filecap /usr/bin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $1 }' | head -1 -a always,exit -F path=effective -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged Expected results: # filecap /usr/bin 2>/dev/null | sed '1d' | awk '{ printf "-a always,exit -F path=%s -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged\n", $2 }' | head -1 -a always,exit -F path=/usr/bin/dumpcap -F perm=x -F auid>=1000 -F auid!=unset -F key=privileged Additional info: The provided mini-patch, which simply replaces $1 by $2 for all filecap-calls fixes the problem.
Thanks for pointing this out. Fix in upstream commit 7c03224.
I am going to close this bz report. Thanks for pointing out the problem. A fix will be in the next release. If you see any other problems, please let me know.