Red Hat Bugzilla – Bug 226780
LSPP: audit of writes to files of bin_t produces no records
Last modified: 2007-11-30 17:07:41 EST
Description of problem:
auditing writes to files of label bin_t do not seem to produce any records. (I
do not think its limited to bin_t, that's just the test case.)
Version-Release number of selected component (if applicable):
Steps to Reproduce:
[root ~]# cp /bin/bash /bin/aubash
[root ~]# ls -Z /bin/aubash
-rwxr-xr-x root root user_u:object_r:bin_t /bin/aubash
[root ~]# auditctl -a exit,always -F perm=w -F obj_type=bin_t -F key=executable
[root ~]# echo "test" > /bin/aubash
[root ~]# cat /bin/aubash
[root ~]# ausearch --start recent -k executable
ausearch to have found a record.
OK, so far it looks like kernel gets empty permissions mask (instead
of -w-). Either auditctl or kernel-side code that decodes userland
This problem was a missing case statement in libaudit...reassigning bug.
per 2/12 discussion, patch has been isolated, Steve will build new audit package
to test it.
audit package 1.3.1-2 was built to solve this problem.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.