From 42c1e24684c305fbc26746a8078f16eb20b263fdb5d89adbe04f8bf192081139 Mon Sep 17 00:00:00 2001
From: Marcus Meissner <meissner@suse.com>
Date: Thu, 21 Aug 2014 13:31:20 +0000
Subject: [PATCH] Accepting request 244848 from home:elvigia:branches:security

- If the system has been booted with audit=0 in the kernel cmdline
  auditd.service must refrain from starting as the relevant kernel
  subsystem will be permanently disabled.
  add patch: auditd-donot-start-if-kernel-cmdline-disabled.patch

OBS-URL: https://build.opensuse.org/request/show/244848
OBS-URL: https://build.opensuse.org/package/show/security/audit?expand=0&rev=70
---
 audit-secondary.changes                       |  8 ++++++++
 audit-secondary.spec                          |  3 ++-
 ...not-start-if-kernel-cmdline-disabled.patch | 20 +++++++++++++++++++
 3 files changed, 30 insertions(+), 1 deletion(-)
 create mode 100644 auditd-donot-start-if-kernel-cmdline-disabled.patch

diff --git a/audit-secondary.changes b/audit-secondary.changes
index 0301916..89270d6 100644
--- a/audit-secondary.changes
+++ b/audit-secondary.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Fri Aug 15 14:24:33 UTC 2014 - crrodriguez@opensuse.org
+
+- If the system has been booted with audit=0 in the kernel cmdline
+  auditd.service must refrain from starting as the relevant kernel
+  subsystem will be permanently disabled.
+  add patch: auditd-donot-start-if-kernel-cmdline-disabled.patch
+
 -------------------------------------------------------------------
 Thu Jul 10 06:21:55 UTC 2014 - tonyj@suse.com
 
diff --git a/audit-secondary.spec b/audit-secondary.spec
index b150dab..f5e6ac5 100644
--- a/audit-secondary.spec
+++ b/audit-secondary.spec
@@ -39,6 +39,7 @@ Patch2:         audit-no-gss.patch
 Patch3:         audit-no_m4_dir.patch
 Patch4:         audit-allow-manual-stop.patch
 Patch5:         audit-ausearch-do-not-require-tclass.patch
+Patch6:         auditd-donot-start-if-kernel-cmdline-disabled.patch
 BuildRoot:      %{_tmppath}/%{name}-%{version}-build
 BuildRequires:  audit-devel = %{version}
 BuildRequires:  autoconf >= 2.12
@@ -96,7 +97,7 @@ rm -rf audisp/plugins/prelude
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
-
+%patch6 -p1
 %build
 autoreconf -fi
 export CFLAGS="%{optflags} -fno-strict-aliasing"
diff --git a/auditd-donot-start-if-kernel-cmdline-disabled.patch b/auditd-donot-start-if-kernel-cmdline-disabled.patch
new file mode 100644
index 0000000..219209c
--- /dev/null
+++ b/auditd-donot-start-if-kernel-cmdline-disabled.patch
@@ -0,0 +1,20 @@
+From: Cristian Rodríguez <crrodriguez@opensuse.org>
+Subject: If the audit subsystem is disabled in the cmdline, do not start service
+Date: Fri Aug 15 14:17:53 UTC 2014
+Upstream: Not yet , submitted Aug 14 2014
+Signed-Off-by:  Cristian Rodríguez <crrodriguez@opensuse.org>
+
+If the system is booted with audit=0 in the kernel command line
+the service must not be started as the audit subsystem is permanently
+disabled until next boot.
+
+--- audit-2.3.6.orig/init.d/auditd.service
++++ audit-2.3.6/init.d/auditd.service
+@@ -4,6 +4,7 @@ DefaultDependencies=no
+ After=local-fs.target
+ Conflicts=shutdown.target
+ Before=sysinit.target shutdown.target
++ConditionKernelCommandLine=!audit=0
+ 
+ [Service]
+ ExecStart=/sbin/auditd -n