Accepting request 245613 from security

1 OBS-URL: https://build.opensuse.org/request/show/245613 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=74
2014-08-25 10:59:44 +00:00 · 2014-08-25 10:59:44 +00:00 · 3f8c9faf02
commit 3f8c9faf02
parent 30cb942b15 42c1e24684
3 changed files with 30 additions and 1 deletions
--- a/audit-secondary.changes
+++ b/audit-secondary.changes
@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Fri Aug 15 14:24:33 UTC 2014 - crrodriguez@opensuse.org
+
+- If the system has been booted with audit=0 in the kernel cmdline
+  auditd.service must refrain from starting as the relevant kernel
+  subsystem will be permanently disabled.
+  add patch: auditd-donot-start-if-kernel-cmdline-disabled.patch
+
 -------------------------------------------------------------------
 Thu Jul 10 06:21:55 UTC 2014 - tonyj@suse.com

--- a/audit-secondary.spec
+++ b/audit-secondary.spec
@ -39,6 +39,7 @@ Patch2:         audit-no-gss.patch
 Patch3:         audit-no_m4_dir.patch
 Patch4:         audit-allow-manual-stop.patch
 Patch5:         audit-ausearch-do-not-require-tclass.patch
+Patch6:         auditd-donot-start-if-kernel-cmdline-disabled.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  audit-devel = %{version}
 BuildRequires:  autoconf >= 2.12
@ -96,7 +97,7 @@ rm -rf audisp/plugins/prelude
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
-
+%patch6 -p1
 %build
 autoreconf -fi
 export CFLAGS="%{optflags} -fno-strict-aliasing"
--- a/auditd-donot-start-if-kernel-cmdline-disabled.patch
+++ b/auditd-donot-start-if-kernel-cmdline-disabled.patch
@ -0,0 +1,20 @@
+From: Cristian Rodríguez <crrodriguez@opensuse.org>
+Subject: If the audit subsystem is disabled in the cmdline, do not start service
+Date: Fri Aug 15 14:17:53 UTC 2014
+Upstream: Not yet , submitted Aug 14 2014
+Signed-Off-by:  Cristian Rodríguez <crrodriguez@opensuse.org>
+
+If the system is booted with audit=0 in the kernel command line
+the service must not be started as the audit subsystem is permanently
+disabled until next boot.
+
+--- audit-2.3.6.orig/init.d/auditd.service
+++ audit-2.3.6/init.d/auditd.service
+@@ -4,6 +4,7 @@ DefaultDependencies=no
+ After=local-fs.target
+ Conflicts=shutdown.target
+ Before=sysinit.target shutdown.target
+ConditionKernelCommandLine=!audit=0
+ 
+ [Service]
+ ExecStart=/sbin/auditd -n