Description of problem: When aide generates a report of changed files if it has found SELinux context differences the report limits the displayed context to the first 32 characters of the context. Often this misses the MLS/MCS portion entirely. Version-Release number of selected component (if applicable): aide-0.12-9.el5 How reproducible: Everytime the context is greater than 32 characters. Steps to Reproduce: 1. Run aide to generate a database 2. Change the context of a watched file 3. Re-run aide and notice the report output Actual results: AIDE found differences between database and filesystem!! Start timestamp: 2007-05-14 19:31:44 Summary: Total number of files: 13467 Added files: 0 Removed files: 0 Changed files: 1 --------------------------------------------------- Changed files: --------------------------------------------------- changed: /usr/local/eal4_testing/audit-test/trustedprograms/aide-testfile -------------------------------------------------- Detailed information about changes: --------------------------------------------------- File: /usr/local/eal4_testing/audit-test/trustedprograms/aide-testfile Ctime : 2007-05-14 19:31:39 , 2007-05-14 19:31:44 SELinux : staff_u:object_r:lspp_test_outpu , staff_u:object_r:lspp_test_outpu Expected results: AIDE found differences between database and filesystem!! Start timestamp: 2007-05-14 19:31:44 Summary: Total number of files: 13467 Added files: 0 Removed files: 0 Changed files: 1 --------------------------------------------------- Changed files: --------------------------------------------------- changed: /usr/local/eal4_testing/audit-test/trustedprograms/aide-testfile -------------------------------------------------- Detailed information about changes: --------------------------------------------------- File: /usr/local/eal4_testing/audit-test/trustedprograms/aide-testfile Ctime : 2007-05-14 19:31:39 , 2007-05-14 19:31:44 SELinux : staff_u:object_r:lspp_test_output_t:SystemLow , staff_u:object_r:lspp_test_output_t:Secret Additional info: This is not blocking the evaluation since aide does notice the change. It correctly audits the difference on the filesystem. Apparently due to report convention (as seen in the Ctime entry) the output is currently limited to 32 characters per side.
This request was evaluated by Red Hat Product Management for inclusion in a Red Hat Enterprise Linux maintenance release. Product Management has requested further review of this request by Red Hat Engineering, for potential inclusion in a Red Hat Enterprise Linux Update release for currently deployed products. This request is not yet committed for inclusion in an Update release.
Since this is not blocking eval, I'm resetting severity to medium.
An advisory has been issued which should help the problem described in this bug report. This report is therefore being closed with a resolution of ERRATA. For more information on the solution and/or where to find the updated files, please follow the link below. You may reopen this bug report if the solution does not work for you. http://rhn.redhat.com/errata/RHSA-2007-0539.html