Re: audit-4.0.4 released
On Fri, May 30, 2025 at 5:06 PM Steve Grubb <sgrubb(a)redhat.com> wrote:
On Friday, May 30, 2025 4:41:36 PM Eastern Daylight Time Paul Moore
wrote:
> > If you notice any problems with this release, please let us know.
>
> I'm not sure if this is an intentional change, but I don't see it
> explicitly listed in the changelog above so I wanted to mention this
> in case it was a bug.
>
> I recently upgraded audit from version 4.0.3-2.fc42 to 4.0.4-1.fc43 on
> my Fedora Rawhide test system and I started to see "Option
> exclude,always is invalid" errors when I had not previously. Is this
> expected behavior, and if so, what is the suggested alternative to
> 'auditctl -a exclude,always'?
Oddly enough, it works on my system (which is f42 but new audit code). But
when I list the rules to make sure, it reverse the fields to always,exclude -
which I think is the preferred way.
My apologies, I said it was the 'auditctl -a exclude,always ...'
command that was the source of the error, but I was mistakenly
off-by-one with the test, it is the 'auditctl -d exclude,always ...'
command that is the source of the problem.
Here is a very simple reproducer:
% rpm -q audit
audit-4.0.4-1.fc43.x86_64
% auditctl -l
No rules
% auditctl -a exclude,always -F msgtype=SYSCALL
% auditctl -d exclude,always -F msgtype=SYSCALL
Option exclude,always is invalid
There was an error while processing parameters
% auditctl -d always,exclude -F msgtype=SYSCALL
Option always,exclude is invalid
There was an error while processing parameters
% auditctl -l
-a always,exclude -F msgtype=SYSCALL
> For reference, here is the last known good test run with
version
> 4.0.3-2.fc42: * https://groups.google.com/g/kernel-secnext/c/KCk5MZbnv5w
>
> ... and here is the first failing test run with version 4.0.4-1.fc43:
> * https://groups.google.com/g/kernel-secnext/c/hyDNpgH-rjk
>
> I've also reproduced this manually by only changing the audit packages
> on my system to help rule out kernel, library, or other changes; it
> does appear to be related to the audit 4.0.4-1.fc43 release/build.
Is there a pointer to the test suite? I'll check on a rawhide system. This
would be odd if the same code works on F42 and not rawhide.
The audit-testsuite repo is here:
https://github.com/linux-audit/audit-testsuite
... and the failures should be easily reproducible on a current
Rawhide system; it's the appropriately named "filter_exclude" test
which is failing. The first of the failing commands can be seen here
on GH:
https://github.com/linux-audit/audit-testsuite/blob/6f8c12deb46596df32fb1...
--
paul-moore.com