Bug 158356

Summary: kernel audit part emits newline to syslog
Product: [openSUSE] SUSE Linux 10.1 Reporter: Marcus Rückert <mrueckert>
Component: AppArmorAssignee: Tony Jones <tonyj>
Status: RESOLVED FIXED QA Contact: Dominic W Reynolds <dreynolds>
Severity: Critical    
Priority: P5 - None CC: tonyj
Version: Beta 7   
Target Milestone: ---   
Hardware: Other   
OS: Other   
Whiteboard:
Found By: Other Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Marcus Rückert 2006-03-15 18:37:17 UTC 
without auditd running i get a trailing new line for every syslog message from the audit framework
[[[
Mar 15 17:43:19 pixel kernel: audit(1142440998.503:2123): REJECTING r access to /etc/hosts.deny (mysqld(2628) profile /usr/sbin/mysqld active /usr/sbin/mysqld)
Mar 15 17:43:19 pixel kernel: 
]]]
Comment 1 Dominic W Reynolds 2006-03-21 07:18:58 UTC 
tony this has been addressed right? Is this change in kernel cvs yet?
Comment 2 Seth R Arnold 2006-05-11 00:11:39 UTC 
Jesse discovered when debugging some oddities with logprof/genprof on a test machine that these blank lines cause problems for these sequences:

May  5 17:07:09 dhcp-81 kernel: audit(1146874029.306:591): PERMITTING x access to /tmp/ux.date (pxsh(4799) profile /root/test.sh active /root/test.sh)
May  5 17:07:09 dhcp-81 kernel: 
May  5 17:07:09 dhcp-81 kernel: audit(1146874029.306:592): LOGPROF-HINT changing_profile pid=4799

SubDomain.pm uses "PERMITTING x access" immediately followed by the changing_profile hints to determine when it should prepare ix/px/ux questions to the user.

This race condition needs to be addressed in SubDomain.pm, but we should be aware that learning mode will not function properly unless auditd is enabled.
Comment 3 Seth R Arnold 2006-05-12 18:13:03 UTC 
The modifications to SubDomain.pm are too significant to be made in time for CODE10 release. I strongly suggest that we include the kernel patch to remove the extraneous newlines, so that AppArmor policy tools will function when audit is not installed.
Comment 4 Seth R Arnold 2006-05-12 18:32:01 UTC 
SubDomain.pm's flaw is tracked as bug 175421.
Comment 5 Thorsten Kukuk 2006-05-16 12:18:11 UTC 
So this patch is in kernel CVS and checked in, why wasn't it closed?
Comment 6 Andreas Jaeger 2006-05-18 07:37:55 UTC 
The patch is indeed checked in so this is not a blocker anymore.

Lowering severity instead of marking as fixed in case there are further problems.
Comment 7 Tony Jones 2006-05-21 19:56:18 UTC 
I don't anticipate further problems.  Planning to marked as FIXED unless I hear objections.
Comment 8 Tony Jones 2006-05-22 17:29:32 UTC 
Fixed in latest stable kernel (also checked into 10.1 branch).