audit 2.6.7 released

[Steve Grubb]

Hello,

I've just released a new version of the audit daemon. It can be downloaded 
from http://people.redhat.com/sgrubb/audit. It will also be in rawhide
soon. The ChangeLog is:

- Non-active log files should be read only
- In augenrules, restore the selinux context if restorecon is installed
- Update gitignore file and remove ltmain.sh (Richard Guy Briggs)
- Replace Group Separator with whitespace in syslog audispd plugin
- In auditd, check for euid rather than capabilities when local_events = no
- If events are piped from ausearch to audisp-remote, flush queue when done
- In auditctl, correct handling of -F key so that key is not part of value
- In auparse, move static variables to auparse_state_t

This update is probably the last of the 2.6 series. New development will begin 
aiming new features towards a future 2.7 release. 

This update fixes the file permissions on non-active logs. Augenrules now 
restores the selinux context of the rules file. This is only an issue for MLS 
systems. The Group Separator used in enriched events has been replaced by a 
whitespace character for syslog.

When auditd is run from some containers that does not support audit 
collection, it also runs auditd unprivileged. This makes auditd fail so it 
switches to doing euid checks for this scenario.

It was also found that the very last record was not being sent when a file was 
cat'ed into audisp-remote for remote collection. It now handles this 
correctly.

And it was found that a bug was introduced in the 2.6.6 release where support 
for multi-keys was fixed. It was also sending the field name into the kernel 
when doing syscall rules with keys.

Please let me know if you run across any problems with this release.

-Steve