Description of problem: The audit support for a couple of xattr syscalls that use a file descriptor for the target rather than the path name don't capture information about the object. The specific syscalls are fgetxattr and flistxattr. Version-Release number of selected component (if applicable): RHEL5 RC1 How reproducible: very Steps to Reproduce: 1.anable auditing for the flistxattr or fgetxattr syscall 2.run a little program (sample attached) that does an flistxattr or an fgetxattr 3.Look at the audit records Actual results: This is from an flistxattr: type=SYSCALL msg=audit(02/16/2007 15:21:11.117:4182) : arch=ia64 syscall=flistxattr success=yes exit=17 a0=3 a1=60000fffff73335c a2=400 a3=60000fffff73335c items=0 ppid=3126 pid=10661 auid=ljk uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 comm=flistxattr exe=/home/ljk/flistxattr subj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 key=(null) Expected results: There should be some information about the object. Additional info: Amy has posted a patch to address this problem. See https://www.redhat.com/archives/linux-audit/2007-February/msg00048.html
Created attachment 148251 [details] test program
Created attachment 148348 [details] LSPP.65 kernel patch for this issue. LSPP.65 version of this patch. Would like testing/verification from the LSPP group before submitting for the RHEL5 kernel.
I tested this with the lspp.65 kernel. I now see a PATH record for the flistxattr syscall and the information matches the file being listed. type=PATH msg=audit(02/20/2007 11:14:57.762:1576) : item=0 name=(null) inode=2719766 dev=fd:01 mode=file,755 ouid=root ogid=root rdev=00:00 obj=staff_u:object_r:user_home_t:s0 type=SYSCALL msg=audit(02/20/2007 11:14:57.762:1576) : arch=ia64 syscall=flistxattr success=yes exit=17 a0=3 a1=60000ffffe93b37c a2=400 a3=60000ffffe93b37c items=1 ppid=2145 pid=3291 auid=ljk uid=root gid=root euid=root suid=root fsuid=root egid=root sgid=root fsgid=root tty=pts0 comm=flistxattr exe=/home/ljk/flistxattr subj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 key=(null) I also tested the fgetxattr syscall with similar results.
As soon as this patch is accepted into an upstream tree it will be submitted for a RHEL5 update.
in 2.6.18-27.el5 You can download this test kernel from http://people.redhat.com/dzickus/el5
A fix for this issue should have been included in the packages contained in the RHEL5.1-Snapshot3 on partners.redhat.com. Requested action: Please verify that your issue is fixed as soon as possible to ensure that it is included in this update release. After you (Red Hat Partner) have verified that this issue has been addressed, please perform the following: 1) Change the *status* of this bug to VERIFIED. 2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified) If this issue is not fixed, please add a comment describing the most recent symptoms of the problem you are having and change the status of the bug to FAILS_QA. More assistance: If you cannot access bugzilla, please reply with a message to Issue Tracker and I will change the status for you. If you need assistance accessing ftp://partners.redhat.com, please contact your Partner Manager.
A fix for this issue should have been included in the packages contained in the RHEL5.1-Snapshot4 on partners.redhat.com. Requested action: Please verify that your issue is fixed *as soon as possible* to ensure that it is included in this update release. After you (Red Hat Partner) have verified that this issue has been addressed, please perform the following: 1) Change the *status* of this bug to VERIFIED. 2) Add *keyword* of PartnerVerified (leaving the existing keywords unmodified) If this issue is not fixed, please add a comment describing the most recent symptoms of the problem you are having and change the status of the bug to FAILS_QA. If you cannot access bugzilla, please reply with a message to Issue Tracker and I will change the status for you. If you need assistance accessing ftp://partners.redhat.com, please contact your Partner Manager.
I re-ran our tests on U1 beta 1 and they passed.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHBA-2007-0959.html