Bug 1216095

Summary: [Build 26.1] ima-policy tcb with audit func=BPRM_CHECK not raising INTEGRITY_RULE audit line
Product: [openSUSE] PUBLIC SUSE Linux Enterprise Server 15 SP6 Reporter: Joaquín Rivera <jeriveramoya>
Component: KernelAssignee: Kernel Bugs <kernel-bugs>
Status: NEW --- QA Contact:
Severity: Normal    
Priority: P4 - Low CC: meissner, riccardo.ceragioli, tiwai, tjyrinki
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://openqa.suse.de/tests/12410596/modules/ima_measurement_audit/steps/36
Whiteboard:
Found By: openQA Services Priority:
Business Priority: Blocker: Yes
Marketing QA Status: --- IT Deployment: ---

Description Joaquín Rivera 2023-10-10 13:01:55 UTC 
## Observation

openQA test in scenario sle-15-SP6-Online-x86_64-ima_measurement@uefi fails in
[ima_measurement_audit](https://openqa.suse.de/tests/12410596/modules/ima_measurement_audit/steps/36)

## Test suite description
Setup and test for IMA measurement functions.

Last good: [16.1](https://openqa.suse.de/tests/11980177) (or more recent)

Test fails because since two builds ago the audit record doesn't exist and it is expected at the end of the test, see code here:
https://github.com/os-autoinst/os-autoinst-distri-opensuse/blob/master/tests/security/ima/ima_measurement_audit.pm#L45

Please, let me know if you need further detail.
Comment 1 Marcus Meissner 2023-10-11 13:54:34 UTC 
i would also delegate this to the kernel folks, area auditing.
Comment 2 Timo Jyrinki 2023-12-12 07:35:26 UTC 
This still fails in Build44.1.
Comment 3 Takashi Iwai 2023-12-12 07:39:28 UTC 
As usual of an openQA report, it's unclear what's failing and how it's reproduced.  Could you give a bit more elaborated description about what openQA tests, at best with a code snippet that can run locally without openQA?
Comment 4 Timo Jyrinki 2023-12-15 11:25:54 UTC 
Forgetting about openQA for now, a local setup and steps to reproduce:

Setup 1: SLE 15 SP5 QU1, all defaults except guided partitioning setup to select ext4

Setup 2: SLE 15 SP6, -- "" --

add to kernel boot flags: rootflags=iversion ima_policy=tcb
echo 'audit func=BPRM_CHECK' > /etc/sysconfig/ima-policy
reboot
echo -n '' > /var/log/audit/audit.log
ping -c 1 localhost
ausearch -m INTEGRITY_RULE

Setup 1 (SLE 15 SP5):
type INTEGRITY_RULE ... file="/usr/bin/ping" ...

This is the expected result.

Setup 2 (SLE 15 SP6):
<no matches>