Description of problem: auditing writes to files of label bin_t do not seem to produce any records. (I do not think its limited to bin_t, that's just the test case.) Version-Release number of selected component (if applicable): 2.6.18-6el5 How reproducible: always Steps to Reproduce: [root ~]# cp /bin/bash /bin/aubash [root ~]# ls -Z /bin/aubash -rwxr-xr-x root root user_u:object_r:bin_t /bin/aubash [root ~]# auditctl -a exit,always -F perm=w -F obj_type=bin_t -F key=executable [root ~]# echo "test" > /bin/aubash [root ~]# cat /bin/aubash test [root ~]# ausearch --start recent -k executable <no matches> Expected results: ausearch to have found a record.
OK, so far it looks like kernel gets empty permissions mask (instead of -w-). Either auditctl or kernel-side code that decodes userland rule...
This problem was a missing case statement in libaudit...reassigning bug.
per 2/12 discussion, patch has been isolated, Steve will build new audit package to test it.
audit package 1.3.1-2 was built to solve this problem.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0602.html