158356 – kernel audit part emits newline to syslog

Bug 158356 - kernel audit part emits newline to syslog

Summary: kernel audit part emits newline to syslog

Status:	RESOLVED FIXED

Alias:	None

Product:	SUSE Linux 10.1
Classification:	openSUSE
Component:	AppArmor (show other bugs)
Version:	Beta 7
Hardware:	Other Other

Priority:	P5 - None Severity: Critical (vote)
Target Milestone:	---
Assignee:	Tony Jones
QA Contact:	Dominic W Reynolds

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Clone This Bug

Reported:	2006-03-15 18:37 UTC by Marcus Rückert
Modified:	2006-05-22 17:29 UTC (History)
CC List:	1 user (show)

See Also:
Found By:	Other
Services Priority:
Business Priority:
Blocker:	---
Marketing QA Status:	---
IT Deployment:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Marcus Rückert 2006-03-15 18:37:17 UTC

without auditd running i get a trailing new line for every syslog message from the audit framework
[[[
Mar 15 17:43:19 pixel kernel: audit(1142440998.503:2123): REJECTING r access to /etc/hosts.deny (mysqld(2628) profile /usr/sbin/mysqld active /usr/sbin/mysqld)
Mar 15 17:43:19 pixel kernel: 
]]]

Comment 1 Dominic W Reynolds 2006-03-21 07:18:58 UTC

tony this has been addressed right? Is this change in kernel cvs yet?

Comment 2 Seth R Arnold 2006-05-11 00:11:39 UTC

Jesse discovered when debugging some oddities with logprof/genprof on a test machine that these blank lines cause problems for these sequences:

May  5 17:07:09 dhcp-81 kernel: audit(1146874029.306:591): PERMITTING x access to /tmp/ux.date (pxsh(4799) profile /root/test.sh active /root/test.sh)
May  5 17:07:09 dhcp-81 kernel: 
May  5 17:07:09 dhcp-81 kernel: audit(1146874029.306:592): LOGPROF-HINT changing_profile pid=4799

SubDomain.pm uses "PERMITTING x access" immediately followed by the changing_profile hints to determine when it should prepare ix/px/ux questions to the user.

This race condition needs to be addressed in SubDomain.pm, but we should be aware that learning mode will not function properly unless auditd is enabled.

Comment 3 Seth R Arnold 2006-05-12 18:13:03 UTC

The modifications to SubDomain.pm are too significant to be made in time for CODE10 release. I strongly suggest that we include the kernel patch to remove the extraneous newlines, so that AppArmor policy tools will function when audit is not installed.

Comment 4 Seth R Arnold 2006-05-12 18:32:01 UTC

SubDomain.pm's flaw is tracked as bug 175421.

Comment 5 Thorsten Kukuk 2006-05-16 12:18:11 UTC

So this patch is in kernel CVS and checked in, why wasn't it closed?

Comment 6 Andreas Jaeger 2006-05-18 07:37:55 UTC

The patch is indeed checked in so this is not a blocker anymore.

Lowering severity instead of marking as fixed in case there are further problems.

Comment 7 Tony Jones 2006-05-21 19:56:18 UTC

I don't anticipate further problems.  Planning to marked as FIXED unless I hear objections.

Comment 8 Tony Jones 2006-05-22 17:29:32 UTC

Fixed in latest stable kernel (also checked into 10.1 branch).