Fix package for immutable mode (jsc#PED-14752)

Move to tmpfiles based file creation to match requirements for immutable
mode / transactional updates.

audit-allow-manual-stop.patch

@@ -11,12 +11,13 @@ SUSE since we lack the ability to use a custom stop/restart
  init.d/auditd.service |    1 -
  1 file changed, 1 deletion(-)
 
---- audit-4.0.2.orig/init.d/auditd.service.in   2024-08-08 19:40:19.000000000 +0200
-+++ audit-4.0.2/init.d/auditd.service.in        2025-06-12 12:09:00.612234841 +0200
-@@ -21,7 +21,6 @@
+--- a/init.d/auditd.service
++++ b/init.d/auditd.service
+@@ -14,7 +14,6 @@ After=local-fs.target systemd-tmpfiles-s
  Before=sysinit.target shutdown.target
- #Before=shutdown.target
+ ##Before=shutdown.target
  Conflicts=shutdown.target
 -RefuseManualStop=yes
-
+ 
  Documentation=man:auditd(8) https://github.com/linux-audit/audit-documentation
+ 

audit-secondary.changes

@@ -2,38 +2,7 @@
 Mon Jan 26 12:11:06 UTC 2026 - Callum Farmer <gmbr3@opensuse.org>
 
 - Move all /var/spool, /var/log directories to systemd-tmpfiles
-
--------------------------------------------------------------------
-Tue Jun 10 14:24:47 UTC 2025 - Wolfgang Frisch <wolfgang.frisch@suse.com>
-
-- Refresh systemd service patches:
-  - audit-allow-manual-stop.patch
-  - auditd.service-fix-plugin-termination.patch
-  - enable-stop-rules.patch
-  - fix-hardened-service.patch
-  - harden_auditd.service.patch
-
-- Update to 4.0.2
-  - Fix musl C builds
-  - Many code cleanups (Yugend)
-  - Use atomic variables if available for signal related flags
-  - Dont rotate audit logs when auditd is in debug mode
-  - Fix a couple memory leaks on error paths
-  - Correct output when displaying rules with exe/path/dir (Attila Lakatos)
-  - Fix auparse lookup test to not use the system libaupaurse
-  - Improve auparse metrics
-  - Update auparse normalizer for recent syscalls
-  - Make status report uniform
-
-- Update to 4.0.1
-  - Update TRUSTED_APP interpretation to look for known fields
-  - In auditd plugins, allow variable amount of arguments (Attila Lakatos)
-  - Fix augenrules to work correctly when kernel is in immutable mode
-  - Add ausearch_cur_event to auparse library (Attila Lakatos)
-  - Add audisp-filter plugin (Attila Lakatos)
-  - Improve sorting speed of aureport --summary reports
-  - auditd & audit-rules.service pick up paths automatically (Laurent Bigonville)
-  - Update auparse normalizer for new syscalls
+  (from OBS request 1329283) (jsc#PED-14752)
 
 -------------------------------------------------------------------
 Fri Oct  4 16:06:06 UTC 2024 - Enzo Matsumiya <ematsumiya@suse.com>

audit-secondary.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package audit-secondary
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -22,7 +22,7 @@
 # The seperation is required to minimize unnecessary build cycles.
 %define 	_name audit
 Name:           audit-secondary
-Version:        4.0.2
+Version:        4.0
 Release:        0
 Summary:        Linux kernel audit subsystem utilities
 License:        GPL-2.0-or-later
@@ -30,7 +30,7 @@ Group:          System/Monitoring
 URL:            https://people.redhat.com/sgrubb/audit/
 Source0:        https://people.redhat.com/sgrubb/audit/%{_name}-%{version}.tar.gz
 Source1:        system-group-audit.conf
-Source2:        audit.tmpfiles
+Source2:	audit.tmpfiles
 Patch1:         audit-plugins-path.patch
 Patch2:         audit-no-gss.patch
 Patch3:         audit-ausearch-do-not-require-tclass.patch
@@ -362,17 +362,13 @@ fi
 %attr(644,root,root) %{_mandir}/man5/auditd-plugins.5.gz
 %attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz
 %attr(644,root,root) %{_mandir}/man8/audisp-syslog.8.gz
-%attr(644,root,root) %{_mandir}/man8/audisp-filter.8.gz
 %attr(750,root,root) %dir %{_sysconfdir}/audit
 %attr(750,root,root) %dir %{_sysconfdir}/audit/plugins.d
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/audispd-zos-remote.conf
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/zos-remote.conf
 %attr(750,root,root) %{_sbindir}/audisp-remote
 %attr(750,root,root) %{_sbindir}/audispd-zos-remote
-%attr(750,root,root) %{_sbindir}/audisp-filter
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audisp-remote.conf
 %config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/au-remote.conf
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/audisp-filter.conf
-%config(noreplace) %attr(640,root,root) %{_sysconfdir}/audit/plugins.d/filter.conf
 
 %changelog

audit.changes

@@ -1,35 +1,3 @@
--------------------------------------------------------------------
-Tue Jun 10 14:23:54 UTC 2025 - Wolfgang Frisch <wolfgang.frisch@suse.com>
-
-- Refresh systemd service patches:
-  - audit-allow-manual-stop.patch
-  - auditd.service-fix-plugin-termination.patch
-  - enable-stop-rules.patch
-  - fix-hardened-service.patch
-  - harden_auditd.service.patch
-
-- Update to 4.0.2
-  - Fix musl C builds
-  - Many code cleanups (Yugend)
-  - Use atomic variables if available for signal related flags
-  - Dont rotate audit logs when auditd is in debug mode
-  - Fix a couple memory leaks on error paths
-  - Correct output when displaying rules with exe/path/dir (Attila Lakatos)
-  - Fix auparse lookup test to not use the system libaupaurse
-  - Improve auparse metrics
-  - Update auparse normalizer for recent syscalls
-  - Make status report uniform
-
-- Update to 4.0.1
-  - Update TRUSTED_APP interpretation to look for known fields
-  - In auditd plugins, allow variable amount of arguments (Attila Lakatos)
-  - Fix augenrules to work correctly when kernel is in immutable mode
-  - Add ausearch_cur_event to auparse library (Attila Lakatos)
-  - Add audisp-filter plugin (Attila Lakatos)
-  - Improve sorting speed of aureport --summary reports
-  - auditd & audit-rules.service pick up paths automatically (Laurent Bigonville)
-  - Update auparse normalizer for new syscalls
-
 -------------------------------------------------------------------
 Fri Oct  4 16:04:56 UTC 2024 - Enzo Matsumiya <ematsumiya@suse.com>
 

audit.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package audit
 #
-# Copyright (c) 2025 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -23,7 +23,7 @@
 %endif
 
 Name:           audit
-Version:        4.0.2
+Version:        4.0
 Release:        0
 Summary:        Linux kernel audit subsystem utilities
 License:        GPL-2.0-or-later

auditd.service-fix-plugin-termination.patch

@@ -2,13 +2,13 @@
  init.d/auditd.service |    1 +
  1 file changed, 1 insertion(+)
 
---- audit-4.0.2.orig/init.d/auditd.service.in   2024-08-08 19:40:19.000000000 +0200
-+++ audit-4.0.2/init.d/auditd.service.in        2025-06-12 12:07:18.450305682 +0200
-@@ -32,6 +32,7 @@
+--- a/init.d/auditd.service
++++ b/init.d/auditd.service
+@@ -29,6 +29,7 @@ ExecStopPost=/sbin/auditctl -R /etc/audi
  Restart=on-failure
- ## Do not restart for intentional exits. See EXIT CODES section in auditd(8).
+ # Do not restart for intentional exits. See EXIT CODES section in auditd(8).
  RestartPreventExitStatus=2 4 6
 +KillMode=mixed
-
+ 
  ### Security Settings ###
  MemoryDenyWriteExecute=true

enable-stop-rules.patch

@@ -15,16 +15,16 @@ Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
  init.d/auditd.service |    4 ++++
  1 file changed, 4 insertions(+)
 
---- audit-4.0.2.orig/init.d/auditd.service.in   2024-08-08 19:40:19.000000000 +0200
-+++ audit-4.0.2/init.d/auditd.service.in        2025-06-12 12:04:22.896698211 +0200
-@@ -29,6 +29,10 @@
+--- a/init.d/auditd.service
++++ b/init.d/auditd.service
+@@ -22,6 +22,10 @@ Documentation=man:auditd(8) https://gith
  Type=forking
- PIDFile=@runstatedir@/auditd.pid
- ExecStart=@sbindir@/auditd
-+ExecStartPost=-@sbindir@/augenrules --load
+ PIDFile=/run/auditd.pid
+ ExecStart=/sbin/auditd
++ExecStartPost=-/sbin/augenrules --load
 +# By default we clear the rules on exit. To disable this, comment
 +# the next line after copying the file to /etc/systemd/system/auditd.service
-+ExecStopPost=@sbindir@/auditctl -R /etc/audit/audit-stop.rules
++ExecStopPost=/sbin/auditctl -R /etc/audit/audit-stop.rules
  Restart=on-failure
- ## Do not restart for intentional exits. See EXIT CODES section in auditd(8).
+ # Do not restart for intentional exits. See EXIT CODES section in auditd(8).
  RestartPreventExitStatus=2 4 6

fix-hardened-service.patch

@@ -12,10 +12,10 @@ Also remove PrivateDevices=true so /dev/* are exposed to auditd.
 
 Signed-off-by: Enzo Matsumiya <ematsumiya@suse.de>
 
-Index: audit-3.1.1/init.d/auditd.service.in
+Index: audit-3.1.1/init.d/auditd.service
 ===================================================================
---- audit-3.1.1.orig/init.d/auditd.service.in
-+++ audit-3.1.1/init.d/auditd.service.in
+--- audit-3.1.1.orig/init.d/auditd.service
++++ audit-3.1.1/init.d/auditd.service
 @@ -42,12 +42,12 @@ RestrictRealtime=true
  # added automatically, for details please see
  # https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort

harden_auditd.service.patch

@@ -1,7 +1,7 @@
-Index: audit-3.1.1/init.d/auditd.service.in
+Index: audit-3.1.1/init.d/auditd.service
 ===================================================================
---- audit-3.1.1.orig/init.d/auditd.service.in
-+++ audit-3.1.1/init.d/auditd.service.in
+--- audit-3.1.1.orig/init.d/auditd.service
++++ audit-3.1.1/init.d/auditd.service
 @@ -39,6 +39,15 @@ LockPersonality=true
  #ProtectControlGroups=true
  ProtectKernelModules=true