audit-3.0.6 released

Steve Grubb sgrubb at
Fri Oct 1 17:21:28 UTC 2021


I've just released a new version of the audit daemon. It can be
downloaded from It will also be
in rawhide soon. The ChangeLog is:

- Fixed various issues when dealing with corrupted logs
- Make IPX packet interpretation dependent on the ipx header file existing
- Add b32/b64 support to ausyscall (Egor Ignatov)
- Add support for armv8l (Egor Ignatov)
- Fix auditctl list of syscalls in PPC (Egor Ignatov)
- auditd.service now restarts auditd under some conditions (Timothée Ravier)

The main driver for this release is that there are a scattering of bug 
reports of segfaults on the previous release. The auparse library has been 
documented for years to fabricate 2 non-existing fields, seresult and seperm. 
Somehow, seresult was added to SELINUX_ERR over the years and this was not 
noticed. So, when auparse is done with an event and is cleaning up, it thinks 
it owns the seresult field and frees it. On the SELINUX_ERR record, it's a 
real field that can't be freed and that leads to the segfault. The code doing 
cleanup was refactored to not make the decision based on the field's name. The 
resulting code should be slightly faster.

SHA256: c3e44d77513a42401d417dd0ceb203cf23886cb89402dea7b9494faa3f4fcc5e

Please let me know if you run across any problems with this release.


More information about the Linux-audit mailing list