From d1fe1b9cec54ab37c4231a1bddb67004c06a6c28934ca810a60e639b3d0bbf13 Mon Sep 17 00:00:00 2001
From: OBS User unknown <null@suse.de>
Date: Wed, 31 Oct 2007 11:24:11 +0000
Subject: [PATCH] OBS-URL:
 https://build.opensuse.org/package/show/openSUSE:Factory/audit?expand=0&rev=8

---
 audit-1.6.2-bugs.patch |  50 ++++++++++--
 audit-libs-python.spec |   2 +-
 audit-startup.patch    | 167 +++++++++++++++++++++++++++++++++++++++++
 audit.changes          |   7 ++
 audit.spec             |  10 ++-
 auditd.init            |   4 +
 auditd.sysconfig       |   4 +
 7 files changed, 234 insertions(+), 10 deletions(-)
 create mode 100644 audit-startup.patch

diff --git a/audit-1.6.2-bugs.patch b/audit-1.6.2-bugs.patch
index 2e72cc9..a95064a 100644
--- a/audit-1.6.2-bugs.patch
+++ b/audit-1.6.2-bugs.patch
@@ -2,10 +2,22 @@ From: Steve Grubb <sgrubb@redhat.com>
 Subject: Patches for 1.6.2
 Upsteam: yes (in 1.6.3)
 
-Misc patches for 1.6.2 audit
+Misc patches for 1.6.2 audit (from Steve Grubb)
 
---- audit-1.6.2.orig/lib/lookup_table.c	2007-10-05 10:30:25.000000000 -0400
-+++ audit-1.6.2/lib/lookup_table.c	2007-10-05 10:32:01.000000000 -0400
+diff -urp audit-1.6.2.orig/audisp/audispd.c audit-1.6.2/audisp/audispd.c
+--- audit-1.6.2.orig/audisp/audispd.c	2007-10-17 13:56:22.000000000 -0400
++++ audit-1.6.2/audisp/audispd.c	2007-10-17 14:13:49.000000000 -0400
+@@ -369,7 +369,6 @@ int main(int argc, char *argv[])
+ 	conf = plist_get_cur(&plugin_conf);
+ 	while (conf) {
+ 		free_pconfig(conf->p);
+-		free(conf->p);
+ 		conf = plist_next(&plugin_conf);
+ 	}
+ 	plist_clear(&plugin_conf);
+diff -urp audit-1.6.2.orig/lib/lookup_table.c audit-1.6.2/lib/lookup_table.c
+--- audit-1.6.2.orig/lib/lookup_table.c	2007-10-17 13:56:22.000000000 -0400
++++ audit-1.6.2/lib/lookup_table.c	2007-10-17 13:56:49.000000000 -0400
 @@ -483,7 +483,7 @@ int audit_name_to_msg_type(const char *m
  		strncpy(buf, msg_type + 8, len);
  		errno = 0;
@@ -15,10 +27,34 @@ Misc patches for 1.6.2 audit
  		errno = 0;
  		return strtol(msg_type, NULL, 10);
  	}
-
---- audit-1.6.2.orig/src/auditd.c	2007-10-05 10:31:35.000000000 -0400
-+++ audit-1.6.2/src/auditd.c	2007-10-05 10:30:04.000000000 -0400
-@@ -135,8 +135,8 @@ static void distribute_event(struct audi
+diff -urp audit-1.6.2.orig/lib/msg_typetab.h audit-1.6.2/lib/msg_typetab.h
+--- audit-1.6.2.orig/lib/msg_typetab.h	2007-10-17 13:56:22.000000000 -0400
++++ audit-1.6.2/lib/msg_typetab.h	2007-10-17 13:57:27.000000000 -0400
+@@ -92,7 +92,7 @@ _S(AUDIT_KERNEL_OTHER,               "KE
+ _S(AUDIT_FD_PAIR,                    "FD_PAIR"                       )
+ _S(AUDIT_OBJ_PID,                    "OBJ_PID"                       )
+ _S(AUDIT_TTY,                        "TTY"                           )
+-//_S(AUDIT_EOE,                        "EOE"                           )
++_S(AUDIT_EOE,                        "EOE"                           )
+ _S(AUDIT_AVC,                        "AVC"                           )
+ _S(AUDIT_SELINUX_ERR,                "SELINUX_ERR"                   )
+ _S(AUDIT_AVC_PATH,                   "AVC_PATH"                      )
+diff -urp audit-1.6.2.orig/src/auditd.c audit-1.6.2/src/auditd.c
+--- audit-1.6.2.orig/src/auditd.c	2007-10-17 13:56:22.000000000 -0400
++++ audit-1.6.2/src/auditd.c	2007-10-17 13:59:32.000000000 -0400
+@@ -127,16 +127,18 @@ static void distribute_event(struct audi
+ 
+ 	/* End of Event is for realtime interface - skip local logging of it */
+ 	if (rep->reply.type != AUDIT_EOE) {
++		int yield = rep->reply.type <= AUDIT_LAST_DAEMON &&
++				rep->reply.type >= AUDIT_FIRST_DAEMON ? 1 : 0;
++
+ 		/* Write to local disk */
+ 		enqueue_event(rep);
+-		if (rep->reply.type <= AUDIT_LAST_DAEMON &&
+-					 rep->reply.type >= AUDIT_FIRST_DAEMON)
++		if (yield)
+ 			pthread_yield(); /* Let other thread try to log it. */
  	}
  
  	/* Last chance to send...maybe the pipe is empty now. */
diff --git a/audit-libs-python.spec b/audit-libs-python.spec
index ba0acd9..c030dd4 100644
--- a/audit-libs-python.spec
+++ b/audit-libs-python.spec
@@ -15,7 +15,7 @@ Name:           audit-libs-python
 BuildRequires:  audit-devel gcc-c++ pkg-config python-devel swig
 Summary:        Python Bindings for libaudit
 Version:        1.6.2
-Release:        1
+Release:        10
 License:        GPL v2 or later
 Group:          System/Monitoring
 Url:            http://people.redhat.com/sgrubb/audit/
diff --git a/audit-startup.patch b/audit-startup.patch
new file mode 100644
index 0000000..c523b2c
--- /dev/null
+++ b/audit-startup.patch
@@ -0,0 +1,167 @@
+--- audit-1.6.2.orig/docs/auditd.8
++++ audit-1.6.2/docs/auditd.8
+@@ -3,7 +3,7 @@
+ auditd \- The Linux Audit daemon
+ .SH SYNOPSIS
+ .B auditd
+-.RB [ \-f ]\ [ \-l ]\ [ \-n ]
++.RB [ \-f ]\ [ \-l ]\ [ \-n ]\ [ \-s\ disable|enable|nochange ]
+ .SH DESCRIPTION
+ \fBauditd\fP is the userspace component to the Linux Auditing System. It's responsible for writing audit records to the disk. Viewing the logs is done with the
+ .B ausearch
+@@ -24,6 +24,9 @@
+ .TP
+ .B \-n
+ no fork. This is useful for running off of inittab
++.TP
++.B \-s=\fIENABLE_STATE\fR
++specify when starting if auditd should change the current value for the kernel enabled flag. Valid values for ENABLE_STATE are "disable", "enable" or "nochange". The default is to enable (and disable when auditd terminates). The value of the enabled flag may be changed during the lifetime of auditd using 'auditctl -e'.
+ .SH SIGNALS
+ .TP
+ SIGHUP
+--- audit-1.6.2.orig/src/auditd.c
++++ audit-1.6.2/src/auditd.c
+@@ -36,6 +36,7 @@
+ #include <sys/wait.h>
+ #include <fcntl.h>
+ #include <pthread.h>
++#include <getopt.h>
+ 
+ #include "libaudit.h"
+ #include "auditd-config.h"
+@@ -65,13 +66,19 @@
+ static void clean_exit(void);
+ static int get_reply(int fd, struct audit_reply *rep, int seq);
+ 
++enum startup_state {startup_disable=0, startup_enable, startup_nochange, startup_INVALID};
++static const char *startup_states[] = {"disable", "enable", "nochange"};
+ 
+ /*
+  * Output a usage message
+  */
+ static void usage(void)
+ {
+-	puts("Usage: auditd [ -f -l -n ]");
++	fprintf(stderr, "Usage: auditd [-f] [-l] [-n] [-s %s|%s|%s]\n",
++		startup_states[startup_disable],
++		startup_states[startup_enable],
++		startup_states[startup_nochange]);
++
+ 	exit(2);
+ }
+ 
+@@ -308,26 +315,56 @@
+ 	struct rlimit limit;
+ 	int hup_info_requested = 0, usr1_info_requested = 0;
+ 	int i;
++	int opt_foreground = 0, opt_allow_links = 0;
++	enum startup_state opt_startup = startup_enable;
++	int c;
++	extern char *optarg;
++	extern int optind;
+ 
+ 	/* Get params && set mode */
+-	config.daemonize = D_BACKGROUND;
+-	if (argc > 1) {
+-		for (i=1; i<argc; i++) {
+-			if (strcmp(argv[i], "-f") == 0) 
+-				config.daemonize = D_FOREGROUND;
+-			else if (strcmp(argv[i], "-l") == 0)
+-				set_allow_links(1);
+-			else if (strcmp(argv[i], "-n") == 0)
+-				do_fork = 0;
+-			else
++	while ((c = getopt(argc, argv, "flns:")) != -1) {
++		switch (c) {
++		case 'f':
++			opt_foreground = 1;
++			break;
++		case 'l':
++			opt_allow_links=1;
++			break;
++		case 'n':
++			do_fork = 0;
++			break;
++		case 's':
++			for (i=0; i<startup_INVALID; i++) {
++				if (strncmp(optarg, startup_states[i],
++					strlen(optarg)) == 0) {
++					opt_startup = i;
++					break;
++				}
++			}
++			if (i == startup_INVALID) {
++				fprintf(stderr, "unknown startup mode '%s'\n",
++					optarg);
+ 				usage();
++			}
++			break;
++		default:
++			usage();
+ 		}
+ 	}
+ 
+-	// Make paramemters take effect
+-	if (config.daemonize == D_FOREGROUND)
++	/* check for trailing command line following options */
++	if (optind < argc) {
++		usage();
++	}
++
++	if (opt_allow_links)
++		set_allow_links(1);
++
++	if (opt_foreground) {
++		config.daemonize = D_FOREGROUND;
+ 		set_aumessage_mode(MSG_STDERR, DBG_YES);
+-	else {
++	} else {
++		config.daemonize = D_BACKGROUND;
+ 		set_aumessage_mode(MSG_SYSLOG, DBG_NO);
+ 		(void) umask( umask( 077 ) | 022 );
+ 	}
+@@ -472,8 +509,9 @@
+ 	/* Now tell parent that everything went OK */
+ 	tell_parent(SUCCESS);
+ 
+-	/* Enable auditing just in case it was off */
+-	if (audit_set_enabled(fd, 1) < 0) {
++	/* Depending on value of opt_startup (-s) set initial audit state */
++	if (opt_startup != startup_nochange &&
++	    audit_set_enabled(fd, (int)opt_startup) < 0) {
+ 		char emsg[DEFAULT_BUF_SZ];
+ 		snprintf(emsg, sizeof(emsg),
+ 			"auditd error halt, auid=%u pid=%d res=failed",
+@@ -481,15 +519,19 @@
+ 		stop = 1;
+ //FIXME add subj
+ 		send_audit_event(AUDIT_DAEMON_ABORT, emsg);
+-		audit_msg(LOG_ERR, "Unable to enable auditing, exiting");
++		audit_msg(LOG_ERR,
++			"Unable to set intitial audit startup state to '%s', exiting",
++			startup_states[opt_startup]);
+ 		close_down();
+ 		if (pidfile)
+ 			unlink(pidfile);
+ 		shutdown_dispatcher();
+ 		return 1;
+ 	}
+-	audit_msg(LOG_NOTICE, "Init complete, auditd %s listening for events",
+-		VERSION);
++	audit_msg(LOG_NOTICE,
++		 "Init complete, auditd %s listening for events (startup state %s)",
++		VERSION,
++		startup_states[opt_startup]);
+ 
+ 	/* Parent should be gone by now...   */
+ 	if (do_fork)
+@@ -603,6 +645,9 @@
+ 			/* Write message to log that we are going down */
+ 			int rc;
+ 
++			if (opt_startup == startup_enable) {
++				audit_set_enabled(fd, (int)startup_disable);
++			}
+ 			rc = audit_request_signal_info(fd);
+ 			if (rc > 0) {
+ 				struct audit_reply trep;
diff --git a/audit.changes b/audit.changes
index 432d97c..44cd2ec 100644
--- a/audit.changes
+++ b/audit.changes
@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Wed Oct 31 07:08:38 CET 2007 - tonyj@suse.de
+
+- Incorporate 1 more Redhat fixe post 1.6.2
+- Go back to 10.2 behaviour wrt to starting in disabled state.
+  This time using patch submitted upstream, fix for #Bug 333739
+
 -------------------------------------------------------------------
 Wed Oct 10 23:18:24 CEST 2007 - tonyj@suse.de
 
diff --git a/audit.spec b/audit.spec
index d69b683..9846fdc 100644
--- a/audit.spec
+++ b/audit.spec
@@ -14,7 +14,7 @@ Name:           audit
 BuildRequires:  gcc-c++
 Summary:        User Space Tools for 2.6 Kernel Auditing
 Version:        1.6.2
-Release:        1
+Release:        4
 License:        GPL v2 or later
 Group:          System/Monitoring
 Url:            http://people.redhat.com/sgrubb/audit/
@@ -24,6 +24,7 @@ Source2:        auditd.sysconfig
 Patch0:         audit-no_sca.patch
 Patch1:         audit-no_python.patch
 Patch2:         audit-1.6.2-bugs.patch
+Patch3:         audit-startup.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 Requires:       %{name}-libs = %{version}-%{release}
 PreReq:         %insserv_prereq %fillup_prereq
@@ -56,7 +57,7 @@ Authors:
 
 %package devel
 Summary:        Header files and static library for libaudit
-License:        LGPL v2 or later
+License:        LGPL v2.1 or later
 Group:          System/Monitoring
 Requires:       %{name}-libs = %{version}-%{release}
 
@@ -76,6 +77,7 @@ Authors:
 %patch0 -p1
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
 
 %build
 #autoreconf -iv --install
@@ -194,6 +196,10 @@ fi
 %dir %attr(700,root,root) /var/log/audit
 %ghost %config(noreplace) /var/log/audit/audit.log
 %changelog
+* Wed Oct 31 2007 - tonyj@suse.de
+- Incorporate 1 more Redhat fixe post 1.6.2
+- Go back to 10.2 behaviour wrt to starting in disabled state.
+  This time using patch submitted upstream, fix for #Bug 333739
 * Wed Oct 10 2007 - tonyj@suse.de
 - Upgrade to 1.6.2
   Plus two bugs discovered in Fedora, will be fixed in 1.6.3
diff --git a/auditd.init b/auditd.init
index 0da8ba8..4475a86 100644
--- a/auditd.init
+++ b/auditd.init
@@ -98,6 +98,10 @@ rc_reset
 case "$1" in
     start)
 	echo -n "Starting auditd "
+	if [ "$AUDITD_DISABLE_CONTEXTS" == "yes" ] ; then 
+		EXTRAOPTIONS="$EXTRAOPTIONS -s disable"
+        fi
+
 	## Start daemon with startproc(8). If this fails
 	## the return value is set appropriately by startproc.
 	startproc $AUDITD_BIN $EXTRAOPTIONS
diff --git a/auditd.sysconfig b/auditd.sysconfig
index 83ec8f7..9fdd65b 100644
--- a/auditd.sysconfig
+++ b/auditd.sysconfig
@@ -29,3 +29,7 @@ AUDITD_CLEAN_STOP="yes"
 #
 ## Type: yesno
 ## Default: yes
+#
+# This option disables syscall auditing by default. This can also be
+# accomplished by auditctl -e.
+AUDITD_DISABLE_CONTEXTS="yes"