https://jenkins-continuous-infra.apps.ci.centos.org/job/fedora-rawhide-pr-pipeline/2802/artifact/package-tests/logs/FAIL-selinux-libselinux-setenforce.log
[ FAIL ] :: Command 'ausearch --input-logs -m MAC_STATUS -i -ts 03/05/2020 14:00:26 | grep 'type=SYSCALL.*comm=setenforce'' (Expected 0, got 1)
Based on content of /var/log/audit/audit.log file, type=SYSCALL which would contain "setenforce" does not appear on Fedora 32 at all. Even if full auditing is enabled.
How to enable full auditing in audit daemon?
1) Open /etc/audit/rules.d/audit.rules file in an editor. 2) Remove following line if it exists: -a task,never 3) Add following line at the end of the file: -w /etc/shadow -p w 4) Restart the audit daemon: # service auditd restart 5) Re-run your scenario.
Full auditing is useful when:
full paths to accessed objects are needed certain audit event fields, which are normally hidden, should be visible
The procedure works on RHEL >= 5 and Fedoras.
If /etc/audit/rules.d/audit.rules file does not exist, please edit /etc/audit/audit.rules directly. Older versions of audit did not generate /etc/audit/audit.rules from /etc/audit/rules.d/audit.rules.
More info at: https://danwalsh.livejournal.com/34903.html
I propose this fix: https://src.fedoraproject.org/tests/selinux/pull-request/60
@rfilo: @mmalik says in a comment above that the record doesn't appear even with full auditing enabled. Since your proposed fix is essentially turning on "full auditing", did you find that to be untrue?
It seems to be caused by some difference in RHEL 8 and Fedora test environment.
Just to make things clear: It has been explained to me that the conclusion that full auditing doesn't help on F32 was wrong (@mmalik added the rule before running the test, which subsequently deleted it). Adding the rule after the auditctl -D (as @rfilo's fix does) does make it work on F32.
auditctl -D
Metadata Update from @plautrba: - Issue status updated to: Closed (was: Open)
Login to comment on this ticket.