audit 1.7.4 released

[Eric Paris]

On Tue, 2008-05-27 at 10:50 -0500, LC Bruzenak wrote:
> Steve,
> 
> I am testing 1.7.4 (with mls permissive policy):
> audit-viewer-0.2-2.fc9.x86_64
> audit-libs-python-1.7.4-1.fc9.x86_64
> system-config-audit-0.4.7-1.fc9.x86_64
> audit-1.7.4-1.fc9.x86_64
> audit-libs-devel-1.7.4-1.fc9.x86_64
> audit-debuginfo-1.7.3-1.fc9.x86_64
> audit-libs-1.7.4-1.fc9.x86_64
> audit-libs-1.7.4-1.fc9.i386
> 
> I moved all the old audit out of the way, so all records would be new,
> and see this after reboot:
> 
> [root at hugo ~]# aureport -h -i --summary
> 
> Host Summary Report
> ===========================
> total  host
> ===========================
> 223  ?
> 12  homeserver
> 8  127.0.0.1
> 6  0.0.0.0
> 
> The "?" entries are application audits - I am going to look, maybe they
> have an error on the way we are sending those in.
> 
> The ones I don't understand are the "0.0.0.0" entries. Here is an
> example of one of those:
> 
> [root at hugo ~]# ausearch -hn 0.0.0.0 -i --just-one
> ----
> type=SOCKADDR msg=audit(05/27/2008 10:30:22.163:13193) : saddr=inet
> host:0.0.0.0 serv:711 
> type=SYSCALL msg=audit(05/27/2008 10:30:22.163:13193) : arch=x86_64
> syscall=bind success=yes exit=0 a0=5 a1=7fff63dbb220 a2=10 a3=89ea70
> items=0 ppid=1 pid=2647 auid=unset uid=root gid=root euid=root suid=root
> fsuid=root egid=root sgid=root fsgid=root tty=(none) ses=4294967295
> comm=rpc.rquotad exe=/usr/sbin/rpc.rquotad
> subj=system_u:system_r:initrc_t:s0-s15:c0.c1023 key=(null) 
> type=AVC msg=audit(05/27/2008 10:30:22.163:13193) : avc:  denied
> { name_bind } for  pid=2647 comm=rpc.rquotad src=711
> scontext=system_u:system_r:initrc_t:s0-s15:c0.c1023
> tcontext=system_u:object_r:hi_reserved_port_t:s0 tclass=udp_socket 
> 
> Is the host "0.0.0.0" field here a bug?

Isn't this telling up that they are calling bind on any interface not a
specific address?

the const struct sockaddr *addr part of the bind(2) call is IN_ADDRANY
what whatever the semantics are...

-Eric