<html><body>
<p><tt> Summary: Break in audit filtering on s390x (between audit.81 and<br>
audit.82)<br>
Vendor: Red Hat Linux<br>
Version: RHEL4_U1<br>
Platform: zSeries<br>
Architecture: S390-64<br>
Submitting Project: Bluefortress<br>
Owning Team: LTC<br>
Required Date: 0000-00-00 00:00:00<br>
Status: OPEN<br>
Severity: high<br>
Priority: P2<br>
Component: Kernel<br>
Owner: bugrobot@linux.ibm.com<br>
SubmittedBy: mcthomps@us.ibm.com<br>
QAContact: rosalesa@us.ibm.com<br>
<br>
<br>
Problem description:<br>
Somewhere in the changes from the audit.81 kernel to the audit.82 kernel (and up<br>
to audit.84), there is a break in filtering rules on the s390x platform.<br>
<br>
<br>
Current patches:<br>
audit.81 kernel & higher (varies for testing purposes)<br>
<br>
uname -a<br>
Linux lnxltc08 2.6.9-11.EL.audit.82 #1 SMP Fri Jul 29 10:53:17 EDT 2005 s390x<br>
s390x s390x GNU/Linux<br>
<br>
<br>
Hardware Environment<br>
Machine type: s390x, z/VM 5<br>
Cpu type: IBM/S390<br>
<br>
<br>
The bug is reproducible, the outcome is consistant for all kernels, on the 81<br>
kernel the record is generated, under the 82+ kernel it is not.<br>
<br>
The following audit ruleset will cause no problems under the audit.81 kernel:<br>
auditctl -a entry,always -S open -F a2=448 -F exit!=0 -F auid=500 -F euid=0<br>
<br>
However, when this same ruleset is used under the audit.82 kernel (till audit.84<br>
- highest at the time of writing), the record is not generated.<br>
<br>
In order to cause a record to be generated, we create a file as root, and then<br>
attempt to open that file as root. With the ruleset as exit,always, this will<br>
work under all kernels. When the rule is entry,always and we drop the filter on<br>
a2 (-F a2=448), then the rule will pass and the record is generated under all<br>
kernels.<br>
<br>
In summary: when the kernel is > audit.82, -a entry,always, and -F a2=448 is<br>
included, then the record is not generated. However, changing 1 of these 3 will<br>
result in the record's generation.<br>
</tt></body></html>