Description of problem: Audit does not log an obj label for a pid that is traced with ptrace(). Because an MLS check is performed for this operation, audit must log the obj label in order to meet LSPP certification requirements. Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. auditctl -a exit,always -S ptrace 2.strace echo hello Actual results: type=SYSCALL msg=audit(1171311544.357:109672): arch=c000003e syscall=101 success=no exit=-3 a0=11 a1=3b98 a2=1 a3=ffffffff items=0 ppid=15112 pid=15255 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="strace" exe="/usr/bin/strace" subj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 key=(null) Expected results: type=SYSCALL msg=audit(1171311544.357:109672): arch=c000003e syscall=101 success=no exit=-3 a0=11 a1=3b98 a2=1 a3=ffffffff items=0 ppid=15112 pid=15255 auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="strace" exe="/usr/bin/strace" subj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 key=(null) type=TARGET_PID msg=audit(1171311544.357:109672): opid=15256 obj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 Additional info:
per 2/12 discussion, can we get Al Viro to help with this bug?
Untested patch posted to linux-audit on March 5. Will review and get into a kernel as soon as possivle
This request was evaluated by Red Hat Kernel Team for inclusion in a Red Hat Enterprise Linux maintenance release, and has moved to bugzilla status POST.
I verified Al's patch in the lspp.68 kernel. Log output for success case: type=SYSCALL msg=audit(1173826483.702:7664): arch=c000003e syscall=101 success=yes exit=0 a0=10 a1=4c2f a2=0 a3=0 items=0 ppid=13429 pid=19506 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1 comm="do_ptrace" exe="/usr/local/eal4_testing/audit-test/utils/bin/do_ptrace" subj=staff_u:lspp_test_r:lspp_test_generic_t:s0 key=(null) type=UNKNOWN[1318] msg=audit(1173826483.702:7664): opid=19503 obj=staff_u:lspp_test_r:lspp_harness_t:s0 Log output for failure case: type=SYSCALL msg=audit(1173826511.922:7667): arch=c000003e syscall=101 success=no exit=-1 a0=10 a1=4c2f a2=0 a3=0 items=0 ppid=13429 pid=19509 auid=501 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none) comm="do_ptrace" exe="/usr/local/eal4_testing/audit-test/utils/bin/do_ptrace" subj=staff_u:lspp_test_r:lspp_test_generic_t:s15:c0.c1023 key=(null) type=UNKNOWN[1318] msg=audit(1173826511.922:7667): opid=19503 obj=staff_u:lspp_test_r:lspp_harness_t:s0 The aux record type is UNKNOWN pending userspace change.
in 2.6.18-27.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0602.html