Bug 226780 - LSPP: audit of writes to files of bin_t produces no records
LSPP: audit of writes to files of bin_t produces no records
Status: CLOSED ERRATA
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: audit (Show other bugs)
5.0
All Linux
medium Severity medium
: ---
: ---
Assigned To: Steve Grubb
Brian Brock
:
Depends On:
Blocks: RHEL5LSPPCertTracker
  Show dependency treegraph
 
Reported: 2007-02-01 10:51 EST by Steve Grubb
Modified: 2007-11-30 17:07 EST (History)
0 users

See Also:
Fixed In Version: RHBA-2007-0602
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2007-11-07 12:02:35 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description Steve Grubb 2007-02-01 10:51:11 EST
Description of problem:
auditing writes to files of label bin_t do not seem to produce any records. (I
do not think its limited to bin_t, that's just the test case.)

Version-Release number of selected component (if applicable):
2.6.18-6el5

How reproducible:
always

Steps to Reproduce:
[root ~]# cp /bin/bash /bin/aubash
[root ~]# ls -Z /bin/aubash
-rwxr-xr-x  root root user_u:object_r:bin_t            /bin/aubash
[root ~]# auditctl -a exit,always -F perm=w -F obj_type=bin_t -F key=executable
[root ~]# echo "test" > /bin/aubash
[root ~]# cat /bin/aubash
test
[root ~]# ausearch --start recent -k executable
<no matches>

Expected results:
ausearch to have found a record.
Comment 1 Alexander Viro 2007-02-05 10:36:54 EST
OK, so far it looks like kernel gets empty permissions mask (instead
of -w-).  Either auditctl or kernel-side code that decodes userland
rule...
Comment 2 Steve Grubb 2007-02-05 12:56:27 EST
This problem was a missing case statement in libaudit...reassigning bug.
Comment 3 Irina Boverman 2007-02-14 16:13:19 EST
per 2/12 discussion, patch has been isolated, Steve will build new audit package
to test it.
Comment 5 Steve Grubb 2007-03-06 19:22:03 EST
audit package 1.3.1-2 was built to solve this problem.
Comment 9 errata-xmlrpc 2007-11-07 12:02:35 EST
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0602.html

Note You need to log in before you can comment on or make changes to this bug.