BUG: audit log #148
BUG: audit log #148
Conversation
DO NOT SUBMIT UPSTREAM
fix:audit.log can't record correctly when rm the dir end with '/' step: 1. mkdir test 2. touch test/111.txt 3. rm -r test/ Log: type=PATH msg=audit(1690506313.361:2505): item=1 name=(null) inode=1049357 dev=fc:03 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0 type=PATH msg=audit(1690506313.361:2505): item=2 name=(null) inode=1049384 dev=fc:03 mode=040775 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0 Change-Id: I6b242a062ced1e3db129b9b9e5f155c681561c2a
|
Hi @hqh2010, thanks for debugging this and submitting a PR! I haven't had a chance to properly review it, but we generally ask for Linux Kernel patches to be sent via the Linux Audit mailing list at [email protected]. Are you familiar with the Linux Kernel patch submission process? If not, there is a document which goes into detail on the process (link below). If you have any questions I'm happy to help. |
pcmoore
force-pushed
the
main
branch
2 times, most recently
from
623d51c
to
459d748
Compare
|
Hi @hqh2010, I just wanted to check to see if you are going to be able to submit this to the audit mailing list? If not, can we at least get your sign-off on the commit/PR? |
|
I'am sorry, I can't submit this pr, you can submit this pr instead, tks.
At 2024-02-15 00:05:48, "Paul Moore" ***@***.***> wrote:
Hi @hqh2010, I just wanted to check to see if you are going to be able to submit this to the audit mailing list? If not, can we at least get your sign-off on the commit/PR?
—
Reply to this email directly, view it on GitHub, or unsubscribe.
You are receiving this because you were mentioned.Message ID: ***@***.***>
|
|
Hi @pcmoore , I'm writing to you on behalf of my former colleague, @hqh2010 , who reported a bug in kernel audit. The bug was discovered when a customer called the kernel audit function in UnionTechOS distribution. @hqh2010 has since left Uniontech, but I will improve this bugfix patch and send it to the audit subsystem mailing list as soon as possible. And will also include @hqh2010 's name in the commit msg. Thanks for your time. Best regards, WangYuli. |
|
That would be great, thank you @Avenger-285714 (and @hqh2010)! |
|
@pcmoore Exactly same behavior on RHEL 8.7 as well with audit-3.0.7-4.el8.x86_64 and 4.18.0-425.13.1.el8_7.x86_64, Is there any workaround to get it sorted? |
|
Hi @ramzcode, last I saw @Avenger-285714 was planning to submit a kernel patch to address the problem so I was waiting on that to happen. If @Avenger-285714 is not able or willing to post a patch we can look into alternate ways to submit and discuss the patch upstream. However, as you are mentioning RHEL, you may want to contact your IBM/RH support team to look for an answer. We do not support RHEL kernels in this GitHub. |
pcmoore
force-pushed
the
main
branch
2 times, most recently
from
6389f89
to
7bbb771
Compare
fix:audit.log can't record correctly when rm the dir end with '/'
step:
mkdir test
touch test/111.txt
rm -r test/
Log:
type=PATH msg=audit(1690506313.361:2505): item=1 name=(null) inode=1049357 dev=fc:03 mode=040755 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=PARENT cap_fp=0 cap_fi=0 cap_fe=0
type=PATH msg=audit(1690506313.361:2505): item=2 name=(null) inode=1049384 dev=fc:03 mode=040775 ouid=1000 ogid=1000 rdev=00:00 obj=unconfined_u:object_r:user_home_t:s0 nametype=DELETE cap_fp=0 cap_fi=0 cap_fe=0
Change-Id: I6b242a062ced1e3db129b9b9e5f155c681561c2a