OK.
I installed the 2.6.17.7 kernel and then tried to build audit-1.2.5 and received the following...

make[2]: Entering directory `/tmp/audit/audit-1.2.5/src'
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../lib   -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -g -O2 -c -o auditd-auditd.o `test -f 'auditd.c' || echo './'`auditd.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../lib   -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -g -O2 -c -o auditd-auditd-event.o `test -f 'auditd-event.c' || echo './'`auditd-event.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../lib   -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -g -O2 -c -o auditd-auditd-config.o `test -f 'auditd-config.c' || echo './'`auditd-config.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../lib   -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -g -O2 -c -o auditd-auditd-reconfig.o `test -f 'auditd-reconfig.c' || echo './'`auditd-reconfig.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../lib   -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -g -O2 -c -o auditd-auditd-sendmail.o `test -f 'auditd-sendmail.c' || echo './'`auditd-sendmail.c
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../lib   -fPIE -DPIE -g -D_REENTRANT -D_GNU_SOURCE -g -O2 -c -o auditd-auditd-dispatch.o `test -f 'auditd-dispatch.c' || echo './'`auditd-dispatch.c
/bin/sh ../libtool --tag=CC --mode=link gcc -D_REENTRANT -D_GNU_SOURCE -g -O2   -o auditd -pie -Wl,-z,relro auditd-auditd.o auditd-auditd-event.o auditd-auditd-config.o auditd-auditd-reconfig.o auditd-auditd-sendmail.o auditd-auditd-dispatch.o -lpthread -Lmt -lauditmt
mkdir .libs
gcc -D_REENTRANT -D_GNU_SOURCE -g -O2 -o auditd -pie -Wl,-z -Wl,relro auditd-auditd.o auditd-auditd-event.o auditd-auditd-config.o auditd-auditd-reconfig.o auditd-auditd-sendmail.o auditd-auditd-dispatch.o  -lpthread -L/tmp/audit/audit-1.2.5/src/mt -lauditmt
gcc -DHAVE_CONFIG_H -I. -I. -I.. -I.. -I../lib   -D_REENTRANT -D_GNU_SOURCE -g -O2 -c auditctl.c
auditctl.c: In function ‘audit_print_reply’:
auditctl.c:1046: error: ‘AUDIT_SE_USER’ undeclared (first use in this function)
auditctl.c:1046: error: (Each undeclared identifier is reported only once
auditctl.c:1046: error: for each function it appears in.)
auditctl.c:1047: error: ‘AUDIT_SE_CLR’ undeclared (first use in this function)
make[2]: *** [auditctl.o] Error 1
make[2]: Leaving directory `/tmp/audit/audit-1.2.5/src'
make[1]: *** [all-recursive] Error 1
make[1]: Leaving directory `/tmp/audit/audit-1.2.5'
make: *** [all] Error 2


I also received the same error with the other kernel.  I did not build the SE-Linux stuff into the kernel, should I have?

thanks,

Lane


-----Original Message-----
From: Klaus Weidner [mailto:klaus@atsec.com]
Sent: Thu 8/3/2006 11:18 AM
To: Williams, P. Lane
Cc: linux-audit@redhat.com
Subject: Re: auditctl question

On Thu, Aug 03, 2006 at 09:00:25AM -0400, Williams, P. Lane wrote:
> I get ....
>
> ----
> type=SYSCALL msg=audit(08/03/06 08:49:37.229:78293) : arch=x86_64 syscall=open success=no exit=-13(Permission denied) a0=7ffff362f541 a1=0 a2=1b6 a3=0 items=1 pid=6334 auid=unknown(4294967295) uid=someuser gid=users euid=someuser suid=someuser fsuid=someuser egid=users sgid=users fsgid=users comm=more exe=/bin/more
> ----

This is from "ausearch -i"? The raw audit log shouldn't have the
"(Permission denied)" part in it, but apart from that it seems that the
kernel is auditing things correctly and this is unrelated to the bug I
had referred to.

> so I only get permission denied entries.  Auditctl allows me to create the rule, and it list the rule.  But nothing is logged, when I know it should be.
>
> I am running the 2.6.16.21 kernel (SUSE Enterprise Desktop 10) on AMD64 dual core machines.

This kernel has a snapshot of the audit code that was in development at
the time. Can you please try with a newer upstream kernel and/or bug SUSE
to incorporate the current audit fixes in an update?

-Klaus