Re: audit-4.0.4 released
On Friday, May 30, 2025 4:41:36 PM Eastern Daylight Time Paul Moore wrote:
> If you notice any problems with this release, please let us
know.
I'm not sure if this is an intentional change, but I don't see it
explicitly listed in the changelog above so I wanted to mention this
in case it was a bug.
I recently upgraded audit from version 4.0.3-2.fc42 to 4.0.4-1.fc43 on
my Fedora Rawhide test system and I started to see "Option
exclude,always is invalid" errors when I had not previously. Is this
expected behavior, and if so, what is the suggested alternative to
'auditctl -a exclude,always'?
Oddly enough, it works on my system (which is f42 but new audit code). But
when I list the rules to make sure, it reverse the fields to always,exclude -
which I think is the preferred way.
For reference, here is the last known good test run with version
4.0.3-2.fc42: * https://groups.google.com/g/kernel-secnext/c/KCk5MZbnv5w
... and here is the first failing test run with version 4.0.4-1.fc43:
* https://groups.google.com/g/kernel-secnext/c/hyDNpgH-rjk
I've also reproduced this manually by only changing the audit packages
on my system to help rule out kernel, library, or other changes; it
does appear to be related to the audit 4.0.4-1.fc43 release/build.
Is there a pointer to the test suite? I'll check on a rawhide system. This
would be odd if the same code works on F42 and not rawhide.
-Steve