Package: audit
Version: 1.7.13-1
Severity: normal
I sent a bug report to upstream ([email protected]), but it seems
it doesn't work. So, I am filing the bug report into Debian BTS.
I am using audit-1.7.13 on Debian. Using the tool auditctl, I got an
error when I tried to specify inode with != operator.
# auditctl -a exit,always -F devmajor=9 -F perm=wa -F 'inode!=67437'
Field (inode) only takes = or != operators
It's something weird, I am using the != operator...
Looking the source code, I found a function audit_rule_fieldpair in
deprecated.c and another function audit_rule_fieldpair_data in libaudit.c.
It seems that the != operator was AUDIT_NEGATE but now is
AUDIT_NOT_EQUAL, internally. If this assumption is correct, I think
that we need a fix like following:
--- audit-1.7.13/lib/libaudit.c~ 2009-04-22 03:47:20.000000000 +0900
+++ audit-1.7.13/lib/libaudit.c 2009-07-30 14:33:44.000000000 +0900
@@ -1096,7 +1096,7 @@
/* fallthrough */
default:
if (field == AUDIT_INODE) {
- if (!(op == AUDIT_NEGATE || op == AUDIT_EQUAL))
+ if (!(op == AUDIT_NOT_EQUAL || op ==
AUDIT_EQUAL))
return -13;
}
Thanks,
--
--
To UNSUBSCRIBE, email to [email protected]
with a subject of "unsubscribe". Trouble? Contact [email protected]
