Bug 501321 - Removal of directory doesn't produce audit record if rule is recursive
Summary: Removal of directory doesn't produce audit record if rule is recursive
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.3
Hardware: All
OS: Linux
Target Milestone: rc
: ---
Assignee: Alexander Viro
QA Contact: Red Hat Kernel QE team
Depends On:
Blocks: 507561
TreeView+ depends on / blocked
Reported: 2009-05-18 14:44 UTC by Steve Grubb
Modified: 2009-09-02 08:03 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2009-09-02 08:03:29 UTC
Target Upstream Version:

Attachments (Terms of Use)

System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2009:1243 0 normal SHIPPED_LIVE Important: Red Hat Enterprise Linux 5.4 kernel security and bug fix update 2009-09-01 08:53:34 UTC

Description Steve Grubb 2009-05-18 14:44:59 UTC
Description of problem
When you have a recursive audit rule watching a directory and its subtree and you remove the directory, you only get an audit event saying the rule is removed and not one on the directory itself. There should be 2 audit events: one on the directory and one saying the rule was removed.

How reproducible:

Steps to Reproduce:
1. mkdir /tmp/test
2. auditctl -a always,exit -F dir=/tmp/test -F key=test
3. rmdir /tmp/test
4. ausearch --start recent -k test
Actual results:
time->Mon May 18 10:42:26 2009
type=CONFIG_CHANGE msg=audit(1242657746.295:37): auid=4325 ses=1 subj=unconfined_u:unconfined_r:auditctl_t:s0 op=add rule key="test2" list=4 res=1
time->Mon May 18 10:42:33 2009
type=CONFIG_CHANGE msg=audit(1242657753.089:38): op=remove rule dir="/tmp/test" key="test2" list=4 res=1

Expected results:
One more event that contains at least a syscall and path record.

Comment 2 Alexander Viro 2009-05-18 15:37:25 UTC
Patch posted

Comment 3 RHEL Program Management 2009-05-18 17:49:29 UTC
This request was evaluated by Red Hat Product Management for inclusion in a Red
Hat Enterprise Linux maintenance release.  Product Management has requested
further review of this request by Red Hat Engineering, for potential
inclusion in a Red Hat Enterprise Linux Update release for currently deployed
products.  This request is not yet committed for inclusion in an Update

Comment 4 Don Zickus 2009-05-21 15:37:18 UTC
in kernel-2.6.18-150.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Please do NOT transition this bugzilla state to VERIFIED until our QE team
has sent specific instructions indicating when to do so.  However feel free
to provide a comment indicating that this fix has been verified.

Comment 11 errata-xmlrpc 2009-09-02 08:03:29 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on therefore solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.


Note You need to log in before you can comment on or make changes to this bug.