Bug from audit.81 -> audit.82 & higher

Summary: Break in audit filtering on s390x (between audit.81 and audit.82) Vendor: Red Hat Linux Version: RHEL4_U1 Platform: zSeries Architecture: S390-64 Submitting Project: Bluefortress Owning Team: LTC Required Date: 0000-00-00 00:00:00 Status: OPEN Severity: high Priority: P2 Component: Kernel Owner: bugrobot(a)linux.ibm.com SubmittedBy: mcthomps(a)us.ibm.com QAContact: rosalesa(a)us.ibm.com Problem description: Somewhere in the changes from the audit.81 kernel to the audit.82 kernel (and up to audit.84), there is a break in filtering rules on the s390x platform. Current patches: audit.81 kernel & higher (varies for testing purposes) uname -a Linux lnxltc08 2.6.9-11.EL.audit.82 #1 SMP Fri Jul 29 10:53:17 EDT 2005 s390x s390x s390x GNU/Linux Hardware Environment Machine type: s390x, z/VM 5 Cpu type: IBM/S390 The bug is reproducible, the outcome is consistant for all kernels, on the 81 kernel the record is generated, under the 82+ kernel it is not. The following audit ruleset will cause no problems under the audit.81 kernel: auditctl -a entry,always -S open -F a2=448 -F exit!=0 -F auid=500 -F euid=0 However, when this same ruleset is used under the audit.82 kernel (till audit.84 - highest at the time of writing), the record is not generated. In order to cause a record to be generated, we create a file as root, and then attempt to open that file as root. With the ruleset as exit,always, this will work under all kernels. When the rule is entry,always and we drop the filter on a2 (-F a2=448), then the rule will pass and the record is generated under all kernels. In summary: when the kernel is > audit.82, -a entry,always, and -F a2=448 is included, then the record is not generated. However, changing 1 of these 3 will result in the record's generation.