From 98754893578a8bfb5c7e7170cae10c3c424fad9b Mon Sep 17 00:00:00 2001
From: Cropi <alakatos@redhat.com>
Date: Mon, 31 Mar 2025 12:35:53 +0200
Subject: [PATCH] Allow defining rules for /usr/lib/modules dir Resolves:
 RHEL-59013 augenrules: fix return code if immutable mode is set Resolves:
 RHEL-40109

---
 audit.spec                     | 15 ++++++-
 augenrules-immutable.patch     | 77 ++++++++++++++++++++++++++++++++++
 protected-kernel-modules.patch | 14 +++++++
 3 files changed, 105 insertions(+), 1 deletion(-)
 create mode 100644 augenrules-immutable.patch
 create mode 100644 protected-kernel-modules.patch

diff --git a/audit.spec b/audit.spec
index c7f1a10..0764773 100644
--- a/audit.spec
+++ b/audit.spec
@@ -3,12 +3,15 @@
 Summary: User space tools for kernel auditing
 Name: audit
 Version: 3.1.2
-Release: 1%{?dist}
+Release: 1%{?dist}.1
 License: GPLv2+
 URL: http://people.redhat.com/sgrubb/audit/
 Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
 Source1: https://www.gnu.org/licenses/lgpl-2.1.txt
 
+Patch0: protected-kernel-modules.patch
+Patch1: augenrules-immutable.patch
+
 BuildRequires: gcc swig make
 BuildRequires: openldap-devel
 BuildRequires: krb5-devel libcap-ng-devel
@@ -83,6 +86,10 @@ Management Facility) database, through an IBM Tivoli Directory Server
 
 %prep
 %setup -q
+
+%patch -P 0 -p1
+%patch -P 1 -p1
+
 cp %{SOURCE1} .
 #autoreconf -fv --install
 
@@ -240,6 +247,12 @@ fi
 %attr(750,root,root) %{_sbindir}/audispd-zos-remote
 
 %changelog
+* Mon Mar 31 2025 Attila Lakatos <alakatos@redhat.com> - 3.1.2-1.1
+- Allow defining rules for /usr/lib/modules dir
+  Resolves: RHEL-59013
+- augenrules: fix return code if immutable mode is set
+  Resolves: RHEL-40109
+
 * Sat Oct 21 2023 Sergio Correia <scorreia@redhat.com> - 3.1.2-1
 - Rebase audit to latest upstream release
   Resolves: RHEL-15001
diff --git a/augenrules-immutable.patch b/augenrules-immutable.patch
new file mode 100644
index 0000000..f84d767
--- /dev/null
+++ b/augenrules-immutable.patch
@@ -0,0 +1,77 @@
+diff -up audit-3.1.2/init.d/augenrules.orig audit-3.1.2/init.d/augenrules
+--- audit-3.1.2/init.d/augenrules.orig	2025-03-31 12:33:04.141223438 +0200
++++ audit-3.1.2/init.d/augenrules	2025-03-31 12:33:29.280457333 +0200
+@@ -32,10 +32,11 @@ ASuffix="prev"
+ OnlyCheck=0
+ LoadRules=0
+ RETVAL=0
+-usage="Usage: $0 [--check|--load]"
++cmd="$0"
++usage="Usage: $cmd [--check|--load]"
+ 
+ # Delete the interim file on faults
+-trap 'rm -f ${TmpRules}; exit 1' 1 2 3 13 15
++trap 'rm -f ${TmpRules}; exit 1' HUP INT QUIT PIPE TERM
+ 
+ try_load() {
+ 	if [ $LoadRules -eq 1 ] ; then
+@@ -44,6 +45,14 @@ try_load() {
+ 	fi
+ }
+ 
++# Check if audit is in immutable mode - exit if so
++check_immutable () {
++    if [ "$(auditctl -s | awk '$1 == "enabled" { print $2 }')" = "2" ] ; then
++	echo "$cmd: Audit system is in immutable mode - exiting with no changes"
++	exit 0
++    fi
++}
++
+ while [ $# -ge 1 ]
+ do
+ 	if [ "$1" = "--check" ] ; then
+@@ -59,7 +68,7 @@ done
+ 
+ # Check environment
+ if [ ! -d ${SourceRulesDir} ]; then
+-	echo "$0: No rules directory - ${SourceRulesDir}"
++	echo "$cmd: No rules directory - ${SourceRulesDir}"
+ 	rm -f "${TmpRules}"
+ 	try_load
+ 	exit 1
+@@ -101,7 +110,7 @@ END     {
+ 
+ # If empty then quit
+ if [ ! -s "${TmpRules}" ]; then
+-	echo "$0: No rules"
++	echo "$cmd: No rules"
+ 	rm -f "${TmpRules}"
+ 	try_load
+ 	exit $RETVAL
+@@ -110,17 +119,19 @@ fi
+ # If the same then quit
+ cmp -s "${TmpRules}" ${DestinationFile} > /dev/null 2>&1
+ if [ $? -eq 0 ]; then
+-	echo "$0: No change"
++	echo "$cmd: No change"
+ 	rm -f "${TmpRules}"
++	check_immutable
+ 	try_load
+ 	exit $RETVAL
+ elif [ $OnlyCheck -eq 1 ] ; then
+-	echo "$0: Rules have changed and should be updated"
++	echo "$cmd: Rules have changed and should be updated"
+ 	rm -f "${TmpRules}"
+ 	exit 0
+ fi
+ 
+ # Otherwise we install the new file
++check_immutable
+ if [ -f ${DestinationFile} ]; then
+ 	cp ${DestinationFile} ${DestinationFile}.${ASuffix}
+ fi
+@@ -135,3 +146,4 @@ rm -f "${TmpRules}"
+ 
+ try_load
+ exit $RETVAL
++
diff --git a/protected-kernel-modules.patch b/protected-kernel-modules.patch
new file mode 100644
index 0000000..195dbd7
--- /dev/null
+++ b/protected-kernel-modules.patch
@@ -0,0 +1,14 @@
+diff --git a/init.d/auditd.service b/init.d/auditd.service
+index 8210c60eb..dd7ec694b 100644
+--- a/init.d/auditd.service
++++ b/init.d/auditd.service
+@@ -38,7 +38,8 @@ MemoryDenyWriteExecute=true
+ LockPersonality=true
+ # The following control prevents rules on /proc so its off by default
+ #ProtectControlGroups=true
+-ProtectKernelModules=true
++## The following control prevents rules on /usr/lib/modules/ its off by default
++#ProtectKernelModules=true
+ RestrictRealtime=true
+ 
+ [Install]