Description of problem: Audit determines a file's obj label (via selinux) from the inode struct. If there is no inode data, audit should not log an obj label. Currently audit incorrectly logs a bugs obj label when there is no inode data present in a PATH record. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: # auditctl -a exit,always -S symlink; ln -s /tmp/foo /tmp/foosym; auditctl -d exit,always -S symlink Actual results: type=CONFIG_CHANGE msg=audit(1169513908.467:78234): auid=500 subj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 add rule key=(null) list=4 res=1 type=SYSCALL msg=audit(1169513908.469:78235): arch=c000003e syscall=88 success=yes exit=0 a0=7ffff0becb89 a1=7ffff0becb92 a2=0 a3=0 items=3 ppid=27219 pid=27346 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts2 comm="ln" exe="/bin/ln" subj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 key=(null) type=CWD msg=audit(1169513908.469:78235): cwd="/home/eal" type=PATH msg=audit(1169513908.469:78235): item=0 name="/tmp/foo" obj=system_u:object_r:locale_t:s0 type=PATH msg=audit(1169513908.469:78235): item=1 name="/tmp/" inode=917505 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0-s15:c0.c1023 type=PATH msg=audit(1169513908.469:78235): item=2 name="/tmp/foosym" inode=917507 dev=fd:00 mode=0120777 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:lspp_harness_tmp_t:s0 type=CONFIG_CHANGE msg=audit(1169513908.470:78236): auid=500 subj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 remove rule key=(null) list=4 res=1 Note that the obj label for /tmp/foo is logged as system_u:object_r:locale_t:s0. ls shows us this is wrong. # ls -Z /tmp/foo -rw-r--r-- root root staff_u:object_r:tmp_t:SystemLow /tmp/foo Expected results: In audit_log_exit() there is a check that osid != 0 before proceeding to convert it to a string context. In this case, since there was no inode data collected for the name, osid should be 0. Additional info: Since audit_contexts can be reused, __audit_getname() initializes several audit_names fields to default values. __audit_getname() should also initialize the name's osid to 0.
Created attachment 146375 [details] Untested patch against lspp.63 kernel.
Testing shows this patch works well in the lspp.64 kernel. My audit record is below: type=SYSCALL msg=audit(1169822431.500:45): arch=40000003 syscall=83 success=yes exit=0 a0=bfbc0bd7 a1=bfbc0be0 a2=804f42c a3=0 items=3 ppid=1896 pid=1969 auid=0 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ln" exe="/bin/ln" subj=root:system_r:unconfined_t:s0-s0:c0.c255 key=(null) type=CWD msg=audit(1169822431.500:45): cwd="/tmp" type=PATH msg=audit(1169822431.500:45): item=0 name="/tmp/foo" type=PATH msg=audit(1169822431.500:45): item=1 name="/tmp/" inode=2452801 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0 type=PATH msg=audit(1169822431.500:45): item=2 name="/tmp/foosym" inode=2456816 dev=fd:00 mode=0120777 ouid=0 ogid=0 rdev=00:00 obj=root:object_r:tmp_t:s0
per 2/12 discussion, Amy is reworking the patch and will make it available for review shortly.
Created attachment 148343 [details] LSPP.65 kernel patch for this issue. Needs testing before internal submission
Verified in lspp.66 kernel. type=SYSCALL msg=audit(1173131485.672:7442): arch=c000003e syscall=88 success=yes exit=0 a0=7fff0ea84953 a1=7fff0ea8495c a2=0 a3=0 items=3 ppid=22633 pid=5102 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts0 comm="ln" exe="/bin/ln" subj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 key=(null) type=CWD msg=audit(1173131485.672:7442): cwd="/usr/local/eal4_testing/audit-test/utils/bin" type=PATH msg=audit(1173131485.672:7442): item=0 name="/tmp/foo" type=PATH msg=audit(1173131485.672:7442): item=1 name="/tmp/" inode=1048579 dev=fd:00 mode=041777 ouid=0 ogid=0 rdev=00:00 obj=system_u:object_r:tmp_t:s0-s15:c0.c1023 type=PATH msg=audit(1173131485.672:7442): item=2 name="/tmp/foosym" inode=1048581 dev=fd:00 mode=0120777 ouid=0 ogid=0 rdev=00:00 obj=staff_u:object_r:lspp_harness_tmp_t:s0
this patch needs to be accepted into an upstream tree and will then be submitted for a RHEL5 update.
in 2.6.18-27.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5
A fix for this issue should have been included in the packages contained in the RHEL5.1-Snapshot3 on partners.redhat.com. Requested action: Please verify that your issue is fixed as soon as possible to ensure that it is included in this update release. After you (Red Hat Partner) have verified that this issue has been addressed, please perform the following: 1) Change the *status* of this bug to VERIFIED. 2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified) If this issue is not fixed, please add a comment describing the most recent symptoms of the problem you are having and change the status of the bug to FAILS_QA. More assistance: If you cannot access bugzilla, please reply with a message to Issue Tracker and I will change the status for you. If you need assistance accessing ftp://partners.redhat.com, please contact your Partner Manager.
A fix for this issue should have been included in the packages contained in the RHEL5.1-Snapshot4 on partners.redhat.com. Requested action: Please verify that your issue is fixed *as soon as possible* to ensure that it is included in this update release. After you (Red Hat Partner) have verified that this issue has been addressed, please perform the following: 1) Change the *status* of this bug to VERIFIED. 2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified) If this issue is not fixed, please add a comment describing the most recent symptoms of the problem you are having and change the status of the bug to FAILS_QA. If you cannot access bugzilla, please reply with a message to Issue Tracker and I will change the status for you. If you need assistance accessing ftp://partners.redhat.com, please contact your Partner Manager.
A fix for this issue should have been included in the packages contained in the RHEL5.1-Snapshot6 on partners.redhat.com. Requested action: Please verify that your issue is fixed ASAP to confirm that it will be included in this update release. After you (Red Hat Partner) have verified that this issue has been addressed, please perform the following: 1) Change the *status* of this bug to VERIFIED. 2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified) If this issue is not fixed, please add a comment describing the most recent symptoms of the problem you are having and change the status of the bug to FAILS_QA. If you cannot access bugzilla, please reply with a message to Issue Tracker and I will change the status for you. If you need assistance accessing ftp://partners.redhat.com, please contact your Partner Manager.
A fix for this issue should have been included in the packages contained in the RHEL5.1-Snapshot7 on partners.redhat.com. Requested action: Please verify that your issue is fixed ASAP to confirm that it will be included in this update release. After you (Red Hat Partner) have verified that this issue has been addressed, please perform the following: 1) Change the *status* of this bug to VERIFIED. 2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified) If this issue is not fixed, please add a comment describing the most recent symptoms of the problem you are having and change the status of the bug to FAILS_QA. If you cannot access bugzilla, please reply with a message to Issue Tracker and I will change the status for you. If you need assistance accessing ftp://partners.redhat.com, please contact your Partner Manager.
I tested this on rhel5 u1 snapshot 6 and it seems to work.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0959.html