Summary: Break in audit filtering on s390x (between audit.81 and
Vendor: Red Hat Linux
Submitting Project: Bluefortress
Owning Team: LTC
Required Date: 0000-00-00 00:00:00
Owner: bugrobot linux ibm com
SubmittedBy: mcthomps us ibm com
QAContact: rosalesa us ibm com
Somewhere in the changes from the audit.81 kernel to the audit.82 kernel (and up
to audit.84), there is a break in filtering rules on the s390x platform.
audit.81 kernel & higher (varies for testing purposes)
Linux lnxltc08 2.6.9-11.EL.audit.82 #1 SMP Fri Jul 29 10:53:17 EDT 2005 s390x
s390x s390x GNU/Linux
Machine type: s390x, z/VM 5
Cpu type: IBM/S390
The bug is reproducible, the outcome is consistant for all kernels, on the 81
kernel the record is generated, under the 82+ kernel it is not.
The following audit ruleset will cause no problems under the audit.81 kernel:
auditctl -a entry,always -S open -F a2=448 -F exit!=0 -F auid=500 -F euid=0
However, when this same ruleset is used under the audit.82 kernel (till audit.84
- highest at the time of writing), the record is not generated.
In order to cause a record to be generated, we create a file as root, and then
attempt to open that file as root. With the ruleset as exit,always, this will
work under all kernels. When the rule is entry,always and we drop the filter on
a2 (-F a2=448), then the rule will pass and the record is generated under all
In summary: when the kernel is > audit.82, -a entry,always, and -F a2=448 is
included, then the record is not generated. However, changing 1 of these 3 will
result in the record's generation.