Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 452044 - Patch - handle 2.6.25+ audit messages
Summary: Patch - handle 2.6.25+ audit messages
Alias: None
Product: Fedora
Classification: Fedora
Component: logwatch
Version: 8
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Ivana Varekova
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2008-06-18 22:33 UTC by Orion Poplawski
Modified: 2008-06-20 10:02 UTC (History)
0 users

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Last Closed: 2008-06-20 10:02:37 UTC

Attachments (Terms of Use)
patch to audit config and script (deleted)
2008-06-18 22:33 UTC, Orion Poplawski
no flags Details | Diff

Description Orion Poplawski 2008-06-18 22:33:36 UTC
Description of problem:

It appears that in Linux 2.6.25+ audit messages have a "type=####" field:

May 30 17:10:53 cynosure kernel: type=1400 audit(1212189053.613:2458): avc: 
denied  { read } for  pid=2045 comm="umount" path="/proc/7352/mounts" dev=proc
ino=644101 scontext=unconfined_u:system_r:mount_t:s0
tcontext=unconfined_u:system_r:automount_t:s0 tclass=file

The attached patch address that by changing audit.conf to add the possible type=
field and to remove a leading "^" from one of the rules.

It also handles:

Jun 17 10:39:29 pyramid kernel: audit(1213720769.358:5): user pid=1999 uid=81
auid=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: 
received policyload notice (seqno=3)

(add support for the added "-s0:c0.c1023")

This has been sent upstream.

Version-Release number of selected component (if applicable):

Comment 1 Orion Poplawski 2008-06-18 22:33:36 UTC
Created attachment 309801 [details]
patch to audit config and script

Comment 2 Ivana Varekova 2008-06-20 10:02:37 UTC
Fixed in logwatch-7.3.6-24.fc10.

Note You need to log in before you can comment on or make changes to this bug.