On Fri, May 30, 2025 at 5:06 PM Steve Grubb <sgr...@redhat.com> wrote: > On Friday, May 30, 2025 4:41:36 PM Eastern Daylight Time Paul Moore wrote: > > > If you notice any problems with this release, please let us know. > > > > I'm not sure if this is an intentional change, but I don't see it > > explicitly listed in the changelog above so I wanted to mention this > > in case it was a bug. > > > > I recently upgraded audit from version 4.0.3-2.fc42 to 4.0.4-1.fc43 on > > my Fedora Rawhide test system and I started to see "Option > > exclude,always is invalid" errors when I had not previously. Is this > > expected behavior, and if so, what is the suggested alternative to > > 'auditctl -a exclude,always'? > > Oddly enough, it works on my system (which is f42 but new audit code). But > when I list the rules to make sure, it reverse the fields to always,exclude - > which I think is the preferred way.
My apologies, I said it was the 'auditctl -a exclude,always ...' command that was the source of the error, but I was mistakenly off-by-one with the test, it is the 'auditctl -d exclude,always ...' command that is the source of the problem. Here is a very simple reproducer: % rpm -q audit audit-4.0.4-1.fc43.x86_64 % auditctl -l No rules % auditctl -a exclude,always -F msgtype=SYSCALL % auditctl -d exclude,always -F msgtype=SYSCALL Option exclude,always is invalid There was an error while processing parameters % auditctl -d always,exclude -F msgtype=SYSCALL Option always,exclude is invalid There was an error while processing parameters % auditctl -l -a always,exclude -F msgtype=SYSCALL > > For reference, here is the last known good test run with version > > 4.0.3-2.fc42: * https://groups.google.com/g/kernel-secnext/c/KCk5MZbnv5w > > > > ... and here is the first failing test run with version 4.0.4-1.fc43: > > * https://groups.google.com/g/kernel-secnext/c/hyDNpgH-rjk > > > > I've also reproduced this manually by only changing the audit packages > > on my system to help rule out kernel, library, or other changes; it > > does appear to be related to the audit 4.0.4-1.fc43 release/build. > > Is there a pointer to the test suite? I'll check on a rawhide system. This > would be odd if the same code works on F42 and not rawhide. The audit-testsuite repo is here: https://github.com/linux-audit/audit-testsuite ... and the failures should be easily reproducible on a current Rawhide system; it's the appropriately named "filter_exclude" test which is failing. The first of the failing commands can be seen here on GH: https://github.com/linux-audit/audit-testsuite/blob/6f8c12deb46596df32fb1efe5c2116cb5df1f484/tests/filter_exclude/test#L73 -- paul-moore.com _______________________________________________ Linux-audit mailing list -- linux-audit@lists.linux-audit.osci.io To unsubscribe send an email to linux-audit-le...@lists.linux-audit.osci.io
