From 12a69cde63ff0f507395931a746db18f71785501 Mon Sep 17 00:00:00 2001
From: Steve Grubb <ausearch.1@gmail.com>
Date: Wed, 24 Jan 2024 10:01:45 -0500
Subject: [PATCH] Auditd is stopping during upgrade (bz 2259610)

---
 audit-4.0-attributes.patch | 45 ++++++++++++++++++++++++++++++++++++++
 audit.spec                 | 37 ++++++++++++++++++++-----------
 2 files changed, 69 insertions(+), 13 deletions(-)
 create mode 100644 audit-4.0-attributes.patch

diff --git a/audit-4.0-attributes.patch b/audit-4.0-attributes.patch
new file mode 100644
index 0000000..6ef90f6
--- /dev/null
+++ b/audit-4.0-attributes.patch
@@ -0,0 +1,45 @@
+From 0db6e0960a5c55b468f21f9841bbc7e67832b66a Mon Sep 17 00:00:00 2001
+From: Steve Grubb <ausearch.1@gmail.com>
+Date: Wed, 17 Jan 2024 12:07:25 -0500
+Subject: [PATCH] Update function attributes
+
+---
+ auparse/auparse.h |  2 +-
+ lib/libaudit.h    | 10 +++++-----
+ 2 files changed, 6 insertions(+), 6 deletions(-)
+
+diff --git a/auparse/auparse.h b/auparse/auparse.h
+index c27f1ff96..0b3f68c35 100644
+--- a/auparse/auparse.h
++++ b/auparse/auparse.h
+@@ -68,7 +68,7 @@ void auparse_add_callback(auparse_state_t *au, auparse_callback_ptr callback,
+ 			void *user_data, user_destroy user_destroy_func);
+ void auparse_set_escape_mode(auparse_state_t *au, auparse_esc_t mode);
+ int auparse_reset(auparse_state_t *au);
+-char *auparse_metrics(const auparse_state_t *au);
++char *auparse_metrics(const auparse_state_t *au) __attr_dealloc_free;
+ 
+ /* Functions that are part of the search interface */
+ int ausearch_add_expression(auparse_state_t *au, const char *expression,
+diff --git a/lib/libaudit.h b/lib/libaudit.h
+index 34b337a7c..15ea2e6f4 100644
+--- a/lib/libaudit.h
++++ b/lib/libaudit.h
+@@ -248,12 +248,12 @@ int  audit_set_enabled(int fd, uint32_t enabled) __wur;
+ int  audit_set_failure(int fd, uint32_t failure) __wur;
+ int  audit_set_rate_limit(int fd, uint32_t limit);
+ int  audit_set_backlog_limit(int fd, uint32_t limit);
+-int audit_set_backlog_wait_time(int fd, uint32_t bwt);
+-int audit_reset_lost(int fd);
+-int audit_reset_backlog_wait_time_actual(int fd);
++int  audit_set_backlog_wait_time(int fd, uint32_t bwt);
++int  audit_reset_lost(int fd);
++int  audit_reset_backlog_wait_time_actual(int fd);
+ int  audit_set_feature(int fd, unsigned feature, unsigned value,
+-		      unsigned lock);
+-int  audit_set_loginuid_immutable(int fd);
++		      unsigned lock) __wur;
++int  audit_set_loginuid_immutable(int fd) __wur;
+ 
+ /* AUDIT_LIST_RULES */
+ int  audit_request_rules_list_data(int fd);
diff --git a/audit.spec b/audit.spec
index 6a039a1..6495d87 100644
--- a/audit.spec
+++ b/audit.spec
@@ -2,12 +2,12 @@
 Summary: User space tools for kernel auditing
 Name: audit
 Version: 4.0
-Release: 3%{?dist}
+Release: 4%{?dist}
 License: GPL-2.0-or-later AND LGPL-2.0-or-later
 URL: http://people.redhat.com/sgrubb/audit/
 Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
 Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
-
+Patch1: audit-4.0-attributes.patch
 BuildRequires: make gcc
 BuildRequires: kernel-headers >= 5.0
 BuildRequires: systemd
@@ -96,6 +96,7 @@ The audit rules package contains the rules and utilities to load audit rules.
 
 %prep
 %setup -q
+%patch 1 -p1
 cp %{SOURCE1} .
 
 # Remove the ids code, its not ready
@@ -137,8 +138,20 @@ rm -f rules/Makefile*
 
 %post
 %systemd_post auditd.service
+# If an upgrade, restart it if it's running
+if [ $1 -eq 2 ]; then
+    state=$(systemctl status auditd | awk '/Active:/ { print $2 }')
+    if [ $state = "active" ] ; then
+        auditctl --signal stop || true
+        systemctl start auditd
+    fi
+# if an install, start it since preset says we should be running
+elif [ $1 -eq 1 ]; then
+        systemctl start auditd
+fi
 
 %post rules
+%systemd_post audit-rules.service
 # Copy default rules into place on new installation
 files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w`
 if [ "$files" -eq 0 ] ; then
@@ -154,31 +167,26 @@ if [ "$files" -eq 0 ] ; then
 	else
 		touch /etc/audit/rules.d/audit.rules
 	fi
+	# Fix up permissions
 	chmod 0600 /etc/audit/rules.d/audit.rules
+	# Make the new rules active
+	augenrules --load
 fi
-%systemd_post audit-rules.service
 
 %preun
 %systemd_preun auditd.service
+# If uninstalling, stop it
 if [ $1 -eq 0 ]; then
-    auditctl --signal stop
+    auditctl --signal stop || true
 fi
 
 %preun rules
 %systemd_preun audit-rules.service
+# If uninstalling, delete the rules loaded in the kernel
 if [ $1 -eq 0 ]; then
     auditctl -D > /dev/null 2>&1
 fi
 
-%postun
-if [ $1 -ge 1 ]; then
-    state=$(systemctl status auditd | awk '/Active:/ { print $2 }')
-    if [ $state = "active" ] ; then
-        auditctl --signal stop
-        systemctl start auditd
-    fi
-fi
-
 %files libs
 %{!?_licensedir:%global license %%doc}
 %license lgpl-2.1.txt
@@ -278,6 +286,9 @@ fi
 %attr(750,root,root) %{_sbindir}/audispd-zos-remote
 
 %changelog
+* Wed Jan 24 2024 Steve Grubb <sgrubb@redhat.com> 4.0-4
+- Auditd is stopping during upgrade (bz 2259610)
+
 * Mon Jan 22 2024 Fedora Release Engineering <releng@fedoraproject.org> - 4.0-3
 - Rebuilt for https://fedoraproject.org/wiki/Fedora_40_Mass_Rebuild