- Fix overflow in audit_log_user_command, better (#438840)

- ausearch was not matching path in avc records
- audisp-prelude attempt to reposition index after examining each type
- correct building of mls policy

audit-1.7.2-avc.patch

@@ -0,0 +1,21 @@
+diff -urp audit-1.7.2.orig/src/ausearch-parse.c audit-1.7.2/src/ausearch-parse.c
+--- audit-1.7.2.orig/src/ausearch-parse.c	2008-04-09 14:26:27.000000000 -0400
++++ audit-1.7.2/src/ausearch-parse.c	2008-04-17 10:44:10.000000000 -0400
+@@ -1208,6 +1212,17 @@ static int parse_avc(const lnode *n, sea
+ 			term = str + 6;
+ 		}
+ 	}
++	if (event_filename) {
++		// do we have a path?
++		str = strstr(term, " path=");
++		if (str) {
++			str += 6;
++			rc =  common_path_parser(s, str);
++			if (rc)
++				goto err;
++			term += 7;
++		}
++	}
+ 	if (event_subject) {
+ 		// scontext
+ 		str = strstr(term, "scontext=");

audit-1.7.3-cmd.patch

@@ -0,0 +1,29 @@
+diff -urp audit-1.7.2/lib/audit_logging.c audit-1.7.3/lib/audit_logging.c
+--- audit-1.7.2/lib/audit_logging.c	2008-04-01 12:25:33.000000000 -0400
++++ audit-1.7.3/lib/audit_logging.c	2008-04-11 17:07:24.000000000 -0400
+@@ -633,7 +633,6 @@ int audit_log_user_command(int audit_fd,
+ 	// We borrow the commname buffer
+ 	if (getcwd(commname, PATH_MAX) == NULL)
+ 		strcpy(commname, "?");
+-	strcpy(cwdname, commname);
+ 	p = commname;
+ 	len = strlen(commname);
+ 	while (*p) {
+@@ -644,6 +643,8 @@ int audit_log_user_command(int audit_fd,
+ 		}
+ 		p++;
+ 	}
++	if (cwdenc == 0)
++		strcpy(cwdname, commname);
+ 
+ 	len = strlen(cmd);
+ 	// Trim the trailing carriage return and spaces
+@@ -665,6 +666,8 @@ int audit_log_user_command(int audit_fd,
+ 		}
+ 		p++;
+ 	}
++	if (cmdenc == 0)
++		strcpy(commname, cmd);
+ 	free(cmd);
+ 
+ 	// Make the format string

audit-1.7.3-prelude.patch

@@ -0,0 +1,33 @@
+diff -urp audit-1.7.2.orig/audisp/plugins/prelude/audisp-prelude.c audit-1.7.2/audisp/plugins/prelude/audisp-prelude.c
+--- audit-1.7.2.orig/audisp/plugins/prelude/audisp-prelude.c	2008-04-07 16:57:12.000000000 -0400
++++ audit-1.7.2/audisp/plugins/prelude/audisp-prelude.c	2008-04-17 16:27:51.000000000 -0400
+@@ -228,7 +228,8 @@ int main(int argc, char *argv[])
+ 		return -1;
+ 	}
+ 
+-	syslog(LOG_INFO, "audisp-prelude is ready for events");
++	if (mode != M_TEST)
++		syslog(LOG_INFO, "audisp-prelude is ready for events");
+ 	do {
+ 		/* Load configuration */
+ 		if (hup) {
+@@ -248,9 +249,10 @@ int main(int argc, char *argv[])
+ 	/* Flush any accumulated events from queue */
+ 	auparse_flush_feed(au);
+ 
+-	syslog(LOG_INFO, "audisp-prelude is exiting on stop request");
+ 	if (mode == M_TEST)
+ 		puts("audisp-prelude is exiting on stop request");
++	else
++		syslog(LOG_INFO, "audisp-prelude is exiting on stop request");
+ 
+ 	/* Cleanup subsystems */
+ 	if (client) 
+@@ -1938,6 +1940,7 @@ static void handle_event(auparse_state_t
+ 				break;
+ 			case AUDIT_SYSCALL:
+ 				handle_watched_syscalls(au, &idmef, &alert);
++				goto_record_type(au, AUDIT_SYSCALL);
+ 				break;
+ 			default:
+ 				break;

audit.spec

@@ -1,17 +1,20 @@
 %define sca_version 0.4.6
-%define sca_release 5
+%define sca_release 6
 %define selinux_variants mls strict targeted
 %define selinux_policyver 3.2.5 
 %{!?python_sitelib: %define python_sitelib %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib()")}
 
 Summary: User space tools for 2.6 kernel auditing
 Name: audit
-Version: 1.7.1
+Version: 1.7.2
-Release: 1%{?dist}
+Release: 2%{?dist}
 License: GPLv2+
 Group: System Environment/Daemons
 URL: http://people.redhat.com/sgrubb/audit/
 Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
+Patch1: audit-1.7.3-cmd.patch
+Patch2: audit-1.7.2-avc.patch
+Patch3: audit-1.7.3-prelude.patch
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
 BuildRequires: gettext-devel intltool libtool swig python-devel
 BuildRequires: kernel-headers >= 2.6.18
@@ -95,6 +98,9 @@ A graphical utility for editing audit configuration.
 
 %prep
 %setup -q
+%patch1 -p1
+%patch2 -p1
+%patch3 -p1
 mkdir zos-remote-policy
 cp -p audisp/plugins/zos-remote/policy/audispd-zos-remote.* zos-remote-policy
 
@@ -106,9 +112,14 @@ make %{?_smp_mflags}
 cd zos-remote-policy
 for selinuxvariant in %{selinux_variants}
 do
-  make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile
+  if [ "${selinuxvariant}" = "mls" ]; then
+    TYPE=mls-mls
+  else
+    TYPE=${selinuxvariant}-mcs
+  fi
+  make -f /usr/share/selinux/devel/Makefile
   mv audispd-zos-remote.pp audispd-zos-remote.pp.${selinuxvariant}
-  make NAME=${selinuxvariant} -f /usr/share/selinux/devel/Makefile clean
+  make -f /usr/share/selinux/devel/Makefile clean
 done
 cd -
 
@@ -315,6 +326,12 @@ fi
 %config(noreplace) %{_sysconfdir}/security/console.apps/system-config-audit-server
 
 %changelog
+* Tue Apr 08 2008 Steve Grubb <sgrubb@redhat.com> 1.7.2-2
+- Fix overflow in audit_log_user_command, better (#438840)
+- ausearch was not matching path in avc records
+- audisp-prelude attempt to reposition index after examining each type
+- correct building of mls policy
+
 * Tue Apr 08 2008 Steve Grubb <sgrubb@redhat.com> 1.7.1-1
 - Fix buffer overflow in audit_log_user_command, again (#438840)
 - Fix memory leak in EOE code in auditd (#440075)

sources

@@ -1 +1 @@
-c9d9fcfc19bdc131cc7bcf53b9b2dba4  audit-1.7.1.tar.gz
+1415749e73fbee34ff5f5f78ab92386a  audit-1.7.2.tar.gz