Bug 223918 - LSPP: audit logs bogus obj label in some PATH records
LSPP: audit logs bogus obj label in some PATH records
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Eric Paris
Brian Brock
: OtherQA
Depends On:
Blocks: RHEL5LSPPCertTracker
  Show dependency treegraph
 
Reported: 2007-01-22 20:42 EST by Amy Griffis
Modified: 2009-06-19 09:20 EDT (History)
6 users (show)

See Also:
Fixed In Version: RHBA-2007-0959
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-07 14:21:48 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)
Untested patch against lspp.63 kernel. (620 bytes, patch)
2007-01-23 18:43 EST, Amy Griffis
no flags Details | Diff
LSPP.65 kernel patch for this issue. Needs testing before internal submission (534 bytes, patch)
2007-02-19 12:16 EST, Eric Paris
no flags Details | Diff

  None (edit)
Description Amy Griffis 2007-01-22 20:42:19 EST
Description of problem:

Audit determines a file's obj label (via selinux) from the inode struct. If
there is no inode data, audit should not log an obj label. Currently audit
incorrectly logs a bugs obj label when there is no inode data present in a PATH
record.

Version-Release number of selected component (if applicable):


How reproducible:

Steps to Reproduce:
# auditctl -a exit,always -S symlink; ln -s /tmp/foo /tmp/foosym; auditctl -d
exit,always -S symlink
  
Actual results:
type=CONFIG_CHANGE msg=audit(1169513908.467:78234): auid=500
subj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 add rule key=(null)
list=4 res=1

type=SYSCALL msg=audit(1169513908.469:78235): arch=c000003e syscall=88
success=yes exit=0 a0=7ffff0becb89 a1=7ffff0becb92 a2=0 a3=0 items=3 ppid=27219
pid=27346 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts2 comm="ln" exe="/bin/ln"
subj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 key=(null)
type=CWD msg=audit(1169513908.469:78235):  cwd="/home/eal"
type=PATH msg=audit(1169513908.469:78235): item=0 name="/tmp/foo"
obj=system_u:object_r:locale_t:s0
type=PATH msg=audit(1169513908.469:78235): item=1 name="/tmp/" inode=917505
dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 
obj=system_u:object_r:tmp_t:s0-s15:c0.c1023
type=PATH msg=audit(1169513908.469:78235): item=2 name="/tmp/foosym"
inode=917507 dev=fd:00 mode=0120777 ouid=0 ogid=0 rdev=00:00
obj=staff_u:object_r:lspp_harness_tmp_t:s0

type=CONFIG_CHANGE msg=audit(1169513908.470:78236): auid=500
subj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 remove rule key=(null)
list=4 res=1

Note that the obj label for /tmp/foo is logged as system_u:object_r:locale_t:s0.
ls shows us this is wrong.

# ls -Z /tmp/foo
-rw-r--r--  root root staff_u:object_r:tmp_t:SystemLow /tmp/foo

Expected results:

In audit_log_exit() there is a check that osid != 0 before proceeding to convert
it to a string context. In this case, since there was no inode data collected
for the name, osid should be 0.

Additional info:

Since audit_contexts can be reused, __audit_getname() initializes several
audit_names fields to default values. __audit_getname() should also initialize
the name's osid to 0.
Comment 1 Amy Griffis 2007-01-23 18:43:08 EST
Created attachment 146375 [details]
Untested patch against lspp.63 kernel.
Comment 2 Eric Paris 2007-01-26 09:46:59 EST
Testing shows this patch works well in the lspp.64 kernel.  My audit record is
below:

type=SYSCALL msg=audit(1169822431.500:45): arch=40000003 syscall=83 success=yes
exit=0 a0=bfbc0bd7 a1=bfbc0be0 a2=804f42c a3=0 items=3 ppid=1896 pid=1969 auid=0
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ln"
exe="/bin/ln" subj=root:system_r:unconfined_t:s0-s0:c0.c255 key=(null)
type=CWD msg=audit(1169822431.500:45):  cwd="/tmp"
type=PATH msg=audit(1169822431.500:45): item=0 name="/tmp/foo"
type=PATH msg=audit(1169822431.500:45): item=1 name="/tmp/" inode=2452801
dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0
type=PATH msg=audit(1169822431.500:45): item=2 name="/tmp/foosym" inode=2456816
dev=fd:00 mode=0120777 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:tmp_t:s0
Comment 3 Irina Boverman 2007-02-14 15:49:05 EST
per 2/12 discussion, Amy is reworking the patch and will make it available for
review shortly.
Comment 4 Eric Paris 2007-02-19 12:16:52 EST
Created attachment 148343 [details]
LSPP.65 kernel patch for this issue.  Needs testing before internal submission
Comment 5 Amy Griffis 2007-03-05 16:48:02 EST
Verified in lspp.66 kernel.

type=SYSCALL msg=audit(1173131485.672:7442): arch=c000003e syscall=88
success=yes exit=0 a0=7fff0ea84953 a1=7fff0ea8495c a2=0 a3=0 items=3 ppid=22633
pid=5102 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0
tty=pts0 comm="ln" exe="/bin/ln"
subj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 key=(null)
type=CWD msg=audit(1173131485.672:7442): 
cwd="/usr/local/eal4_testing/audit-test/utils/bin"
type=PATH msg=audit(1173131485.672:7442): item=0 name="/tmp/foo"
type=PATH msg=audit(1173131485.672:7442): item=1 name="/tmp/" inode=1048579
dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00
obj=system_u:object_r:tmp_t:s0-s15:c0.c1023
type=PATH msg=audit(1173131485.672:7442): item=2 name="/tmp/foosym"
inode=1048581 dev=fd:00 mode=0120777 ouid=0 ogid=0 rdev=00:00
obj=staff_u:object_r:lspp_harness_tmp_t:s0
Comment 6 Eric Paris 2007-03-06 16:27:48 EST
this patch needs to be accepted into an upstream tree and will then be submitted
for a RHEL5 update.
Comment 10 Don Zickus 2007-06-15 20:31:12 EDT
in 2.6.18-27.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5
Comment 12 John Poelstra 2007-08-27 14:27:40 EDT
A fix for this issue should have been included in the packages contained in the
RHEL5.1-Snapshot3 on partners.redhat.com.  

Requested action: Please verify that your issue is fixed as soon as possible to
ensure that it is included in this update release.

After you (Red Hat Partner) have verified that this issue has been addressed,
please perform the following:
1) Change the *status* of this bug to VERIFIED.
2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified)

If this issue is not fixed, please add a comment describing the most recent
symptoms of the problem you are having and change the status of the bug to FAILS_QA.

More assistance: If you cannot access bugzilla, please reply with a message to
Issue Tracker and I will change the status for you.  If you need assistance
accessing ftp://partners.redhat.com, please contact your Partner Manager.
Comment 13 John Poelstra 2007-08-30 20:26:23 EDT
A fix for this issue should have been included in the packages contained in the
RHEL5.1-Snapshot4 on partners.redhat.com.  

Requested action: Please verify that your issue is fixed *as soon as possible*
to ensure that it is included in this update release.

After you (Red Hat Partner) have verified that this issue has been addressed,
please perform the following:
1) Change the *status* of this bug to VERIFIED.
2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified)

If this issue is not fixed, please add a comment describing the most recent
symptoms of the problem you are having and change the status of the bug to FAILS_QA.

If you cannot access bugzilla, please reply with a message to Issue Tracker and
I will change the status for you.  If you need assistance accessing
ftp://partners.redhat.com, please contact your Partner Manager.
Comment 14 John Poelstra 2007-09-11 15:22:53 EDT
A fix for this issue should have been included in the packages contained in the
RHEL5.1-Snapshot6 on partners.redhat.com.  

Requested action: Please verify that your issue is fixed ASAP to confirm that it
will be included in this update release.

After you (Red Hat Partner) have verified that this issue has been addressed,
please perform the following:
1) Change the *status* of this bug to VERIFIED.
2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified)

If this issue is not fixed, please add a comment describing the most recent
symptoms of the problem you are having and change the status of the bug to FAILS_QA.

If you cannot access bugzilla, please reply with a message to Issue Tracker and
I will change the status for you.  If you need assistance accessing
ftp://partners.redhat.com, please contact your Partner Manager.
Comment 15 John Poelstra 2007-09-20 00:47:57 EDT
A fix for this issue should have been included in the packages contained in the
RHEL5.1-Snapshot7 on partners.redhat.com.  

Requested action: Please verify that your issue is fixed ASAP to confirm that it
will be included in this update release.

After you (Red Hat Partner) have verified that this issue has been addressed,
please perform the following:
1) Change the *status* of this bug to VERIFIED.
2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified)

If this issue is not fixed, please add a comment describing the most recent
symptoms of the problem you are having and change the status of the bug to FAILS_QA.

If you cannot access bugzilla, please reply with a message to Issue Tracker and
I will change the status for you.  If you need assistance accessing
ftp://partners.redhat.com, please contact your Partner Manager.
Comment 16 Linda Knippers 2007-09-20 10:23:02 EDT
I tested this on rhel5 u1 snapshot 6 and it seems to work.
Comment 18 errata-xmlrpc 2007-11-07 14:21:48 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0959.html

Note You need to log in before you can comment on or make changes to this bug.