Red Hat Bugzilla – Bug 235321
LSPP: audit DAEMON_CONFIG record truncated
Last modified: 2007-11-30 17:07:43 EST
Description of problem:
The buffer used to construct the DAEMON_CONFIG isn't big enough
for some lspp subject contexts, causing the results to be truncated.
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1.On an lspp system, have a context that's fairly long (could be lots of
compartments, for example)
2.do some audit management
type=DAEMON_CONFIG msg=audit(1175743730.429:9233) config changed, auid=500
pid=15992 subj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 res=succe
type=DAEMON_CONFIG msg=audit(1175727102.355:3465) config changed, auid=500
pid=3100 subj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 res=succes
The full record should appear, including the res=success
The buffer used for these messages in auditd-event.c is only 128 bytes.
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release. Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products. This request is not yet committed for inclusion in an Update
Revised test case for targeted.
1) setenforce 0
2) runcon -l s0:c0,c2,c4,c6,c8,c10,c12,c14,c16,c18,c20,c22,c24,c26,c28,c30 sh
3) killall -HUP auditd
4) ausearch --start recent -m DAEMON_CONFIG
record will be truncated.
built audit-1.3.1-4 to address this issue.
I upgraded to audit-1.3.1-4.el5 and now I see the full DAEMON_CONFIG
audit record. Thanks.
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.