3 changed files with 105 additions and 1 deletions
--- a/SOURCES/augenrules-immutable.patch
+++ b/SOURCES/augenrules-immutable.patch
@ -0,0 +1,77 @@
+diff -up audit-3.1.2/init.d/augenrules.orig audit-3.1.2/init.d/augenrules
+--- audit-3.1.2/init.d/augenrules.orig	2025-03-31 12:33:04.141223438 +0200
+++ audit-3.1.2/init.d/augenrules	2025-03-31 12:33:29.280457333 +0200
+@@ -32,10 +32,11 @@ ASuffix="prev"
+ OnlyCheck=0
+ LoadRules=0
+ RETVAL=0
+-usage="Usage: $0 [--check|--load]"
+cmd="$0"
+usage="Usage: $cmd [--check|--load]"
+ 
+ # Delete the interim file on faults
+-trap 'rm -f ${TmpRules}; exit 1' 1 2 3 13 15
+trap 'rm -f ${TmpRules}; exit 1' HUP INT QUIT PIPE TERM
+ 
+ try_load() {
+ 	if [ $LoadRules -eq 1 ] ; then
+@@ -44,6 +45,14 @@ try_load() {
+ 	fi
+ }
+ 
+# Check if audit is in immutable mode - exit if so
+check_immutable () {
+    if [ "$(auditctl -s | awk '$1 == "enabled" { print $2 }')" = "2" ] ; then
+	echo "$cmd: Audit system is in immutable mode - exiting with no changes"
+	exit 0
+    fi
+}
+
+ while [ $# -ge 1 ]
+ do
+ 	if [ "$1" = "--check" ] ; then
+@@ -59,7 +68,7 @@ done
+ 
+ # Check environment
+ if [ ! -d ${SourceRulesDir} ]; then
+-	echo "$0: No rules directory - ${SourceRulesDir}"
+	echo "$cmd: No rules directory - ${SourceRulesDir}"
+ 	rm -f "${TmpRules}"
+ 	try_load
+ 	exit 1
+@@ -101,7 +110,7 @@ END     {
+ 
+ # If empty then quit
+ if [ ! -s "${TmpRules}" ]; then
+-	echo "$0: No rules"
+	echo "$cmd: No rules"
+ 	rm -f "${TmpRules}"
+ 	try_load
+ 	exit $RETVAL
+@@ -110,17 +119,19 @@ fi
+ # If the same then quit
+ cmp -s "${TmpRules}" ${DestinationFile} > /dev/null 2>&1
+ if [ $? -eq 0 ]; then
+-	echo "$0: No change"
+	echo "$cmd: No change"
+ 	rm -f "${TmpRules}"
+	check_immutable
+ 	try_load
+ 	exit $RETVAL
+ elif [ $OnlyCheck -eq 1 ] ; then
+-	echo "$0: Rules have changed and should be updated"
+	echo "$cmd: Rules have changed and should be updated"
+ 	rm -f "${TmpRules}"
+ 	exit 0
+ fi
+ 
+ # Otherwise we install the new file
+check_immutable
+ if [ -f ${DestinationFile} ]; then
+ 	cp ${DestinationFile} ${DestinationFile}.${ASuffix}
+ fi
+@@ -135,3 +146,4 @@ rm -f "${TmpRules}"
+ 
+ try_load
+ exit $RETVAL
+
--- a/SOURCES/protected-kernel-modules.patch
+++ b/SOURCES/protected-kernel-modules.patch
@ -0,0 +1,14 @@
+diff --git a/init.d/auditd.service b/init.d/auditd.service
+index 8210c60eb..dd7ec694b 100644
+--- a/init.d/auditd.service
+++ b/init.d/auditd.service
+@@ -38,7 +38,8 @@ MemoryDenyWriteExecute=true
+ LockPersonality=true
+ # The following control prevents rules on /proc so its off by default
+ #ProtectControlGroups=true
+-ProtectKernelModules=true
+## The following control prevents rules on /usr/lib/modules/ its off by default
+#ProtectKernelModules=true
+ RestrictRealtime=true
+ 
+ [Install]
--- a/SPECS/audit.spec
+++ b/SPECS/audit.spec
@ -3,12 +3,15 @@
 Summary: User space tools for kernel auditing
 Name: audit
 Version: 3.1.2
-Release: 1%{?dist}
+Release: 1%{?dist}.1
 License: GPLv2+
 URL: http://people.redhat.com/sgrubb/audit/
 Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
 Source1: https://www.gnu.org/licenses/lgpl-2.1.txt

+Patch0: protected-kernel-modules.patch
+Patch1: augenrules-immutable.patch
+
 BuildRequires: gcc swig make
 BuildRequires: openldap-devel
 BuildRequires: krb5-devel libcap-ng-devel
@ -83,6 +86,10 @@ Management Facility) database, through an IBM Tivoli Directory Server

 %prep
 %setup -q
+
+%patch -P 0 -p1
+%patch -P 1 -p1
+
 cp %{SOURCE1} .
 #autoreconf -fv --install

@ -240,6 +247,12 @@ fi
 %attr(750,root,root) %{_sbindir}/audispd-zos-remote

 %changelog
+* Mon Mar 31 2025 Attila Lakatos <alakatos@redhat.com> - 3.1.2-1.1
+- Allow defining rules for /usr/lib/modules dir
+  Resolves: RHEL-59013
+- augenrules: fix return code if immutable mode is set
+  Resolves: RHEL-40109
+
 * Sat Oct 21 2023 Sergio Correia <scorreia@redhat.com> - 3.1.2-1
 - Rebase audit to latest upstream release
  Resolves: RHEL-15001