sgrubb at redhat.com
Fri Oct 1 17:21:28 UTC 2021
I've just released a new version of the audit daemon. It can be
downloaded from http://people.redhat.com/sgrubb/audit. It will also be
in rawhide soon. The ChangeLog is:
- Fixed various issues when dealing with corrupted logs
- Make IPX packet interpretation dependent on the ipx header file existing
- Add b32/b64 support to ausyscall (Egor Ignatov)
- Add support for armv8l (Egor Ignatov)
- Fix auditctl list of syscalls in PPC (Egor Ignatov)
- auditd.service now restarts auditd under some conditions (Timothée Ravier)
The main driver for this release is that there are a scattering of bug
reports of segfaults on the previous release. The auparse library has been
documented for years to fabricate 2 non-existing fields, seresult and seperm.
Somehow, seresult was added to SELINUX_ERR over the years and this was not
noticed. So, when auparse is done with an event and is cleaning up, it thinks
it owns the seresult field and frees it. On the SELINUX_ERR record, it's a
real field that can't be freed and that leads to the segfault. The code doing
cleanup was refactored to not make the decision based on the field's name. The
resulting code should be slightly faster.
Please let me know if you run across any problems with this release.
More information about the Linux-audit