Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 228384 - LSPP: audit does not log obj label for traced process
Summary: LSPP: audit does not log obj label for traced process
Keywords:
Status: CLOSED ERRATA
Alias: None
Product: Red Hat Enterprise Linux 5
Classification: Red Hat
Component: kernel
Version: 5.0
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
: ---
Assignee: Eric Paris
QA Contact: Brian Brock
URL:
Whiteboard:
Depends On:
Blocks: RHEL5LSPPCertTracker
TreeView+ depends on / blocked
 
Reported: 2007-02-12 20:26 UTC by Amy Griffis
Modified: 2009-06-19 15:02 UTC (History)
5 users (show)

Fixed In Version: RHBA-2007-0602
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2007-11-07 17:02:44 UTC
Target Upstream Version:


Attachments (Terms of Use)


Links
System ID Priority Status Summary Last Updated
Red Hat Product Errata RHBA-2007:0602 normal SHIPPED_LIVE audit bug fix and enhancement update 2007-10-30 15:35:36 UTC

Description Amy Griffis 2007-02-12 20:26:25 UTC
Description of problem:

Audit does not log an obj label for a pid that is traced with ptrace(). Because
an MLS check is performed for this operation, audit must log the obj label in
order to meet LSPP certification requirements.

Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1. auditctl -a exit,always -S ptrace
2.strace echo hello
  
Actual results:

type=SYSCALL msg=audit(1171311544.357:109672): arch=c000003e syscall=101
success=no exit=-3 a0=11 a1=3b98 a2=1 a3=ffffffff items=0 ppid=15112 pid=15255
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
comm="strace" exe="/usr/bin/strace"
subj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 key=(null)

Expected results:

type=SYSCALL msg=audit(1171311544.357:109672): arch=c000003e syscall=101
success=no exit=-3 a0=11 a1=3b98 a2=1 a3=ffffffff items=0 ppid=15112 pid=15255
auid=500 uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
comm="strace" exe="/usr/bin/strace"
subj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 key=(null)

type=TARGET_PID msg=audit(1171311544.357:109672): opid=15256
obj=staff_u:lspp_test_r:lspp_harness_t:s0-s15:c0.c1023 

Additional info:

Comment 1 Irina Boverman 2007-02-14 21:32:38 UTC
per 2/12 discussion, can we get Al Viro to help with this bug?

Comment 2 Eric Paris 2007-03-05 19:58:37 UTC
Untested patch posted to linux-audit on March 5.  Will review and get into a
kernel as soon as possivle

Comment 3 RHEL Product and Program Management 2007-03-12 21:41:34 UTC
This request was evaluated by Red Hat Kernel Team for inclusion in a Red
Hat Enterprise Linux maintenance release, and has moved to bugzilla 
status POST.

Comment 4 Amy Griffis 2007-03-13 22:56:27 UTC
I verified Al's patch in the lspp.68 kernel.

Log output for success case:

type=SYSCALL msg=audit(1173826483.702:7664): arch=c000003e syscall=101
success=yes exit=0 a0=10 a1=4c2f a2=0 a3=0 items=0 ppid=13429 pid=19506 auid=501
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=pts1
comm="do_ptrace" exe="/usr/local/eal4_testing/audit-test/utils/bin/do_ptrace"
subj=staff_u:lspp_test_r:lspp_test_generic_t:s0 key=(null)
type=UNKNOWN[1318] msg=audit(1173826483.702:7664): opid=19503
obj=staff_u:lspp_test_r:lspp_harness_t:s0

Log output for failure case:

type=SYSCALL msg=audit(1173826511.922:7667): arch=c000003e syscall=101
success=no exit=-1 a0=10 a1=4c2f a2=0 a3=0 items=0 ppid=13429 pid=19509 auid=501
uid=0 gid=0 euid=0 suid=0 fsuid=0 egid=0 sgid=0 fsgid=0 tty=(none)
comm="do_ptrace" exe="/usr/local/eal4_testing/audit-test/utils/bin/do_ptrace"
subj=staff_u:lspp_test_r:lspp_test_generic_t:s15:c0.c1023 key=(null)
type=UNKNOWN[1318] msg=audit(1173826511.922:7667): opid=19503
obj=staff_u:lspp_test_r:lspp_harness_t:s0

The aux record type is UNKNOWN pending userspace change.

Comment 7 Don Zickus 2007-06-16 00:30:59 UTC
in 2.6.18-27.el5
You can download this test kernel from http://people.redhat.com/dzickus/el5

Comment 11 errata-xmlrpc 2007-11-07 17:02:44 UTC
An advisory has been issued which should help the problem
described in this bug report. This report is therefore being
closed with a resolution of ERRATA. For more information
on the solution and/or where to find the updated files,
please follow the link below. You may reopen this bug report
if the solution does not work for you.

http://rhn.redhat.com/errata/RHBA-2007-0602.html



Note You need to log in before you can comment on or make changes to this bug.