diff --git a/.audit.metadata b/.audit.metadata
index 1cbe0b8..fac8703 100644
--- a/.audit.metadata
+++ b/.audit.metadata
@@ -1 +1 @@
-84ce70969f3be29e460d92d9cd026119bee9b1dc SOURCES/audit-2.4.1.tar.gz
+5b14b50733d6d9d11467d88933f2d2ef10f7b19e SOURCES/audit-2.6.5.tar.gz
diff --git a/.gitignore b/.gitignore
index ec48444..dc190bc 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1 +1 @@
-SOURCES/audit-2.4.1.tar.gz
+SOURCES/audit-2.6.5.tar.gz
diff --git a/SOURCES/audit-2.3.3-augenrules.patch b/SOURCES/audit-2.3.3-augenrules.patch
deleted file mode 100644
index f408308..0000000
--- a/SOURCES/audit-2.3.3-augenrules.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-diff -urp audit-2.3.3.orig/init.d/auditd.service audit-2.3.3/init.d/auditd.service
---- audit-2.3.3.orig/init.d/auditd.service 2014-01-16 06:24:42.000000000 -0500
-+++ audit-2.3.3/init.d/auditd.service 2014-03-18 12:47:13.682617960 -0400
-@@ -8,12 +8,11 @@ RefuseManualStop=yes
-
- [Service]
- ExecStart=/sbin/auditd -n
--## To use augenrules, copy this file to /etc/systemd/system/auditd.service
--## and uncomment the next line and delete/comment out the auditctl line.
--## Then copy existing rules to /etc/audit/rules.d/
--## Not doing this last step can cause loss of existing rules
--#ExecStartPost=-/sbin/augenrules --load
--ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
-+## To not use augenrules, copy this file to /etc/systemd/system/auditd.service
-+## and comment/delete the next line and uncomment the auditctl line.
-+## NOTE: augenrules expect any rules to be added to /etc/audit/rules.d/
-+ExecStartPost=-/sbin/augenrules --load
-+#ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
- ExecReload=/bin/kill -HUP $MAINPID
-
- [Install]
diff --git a/SOURCES/audit-2.4.1-uid-1000.patch b/SOURCES/audit-2.4.1-uid-1000.patch
deleted file mode 100644
index dd2af0f..0000000
--- a/SOURCES/audit-2.4.1-uid-1000.patch
+++ /dev/null
@@ -1,90 +0,0 @@
-diff -ur audit-2.4.1.orig/contrib/stig.rules audit-2.4.1/contrib/stig.rules
---- audit-2.4.1.orig/contrib/stig.rules 2014-10-27 16:54:03.000000000 -0400
-+++ audit-2.4.1/contrib/stig.rules 2014-10-28 14:21:39.896827577 -0400
-@@ -19,7 +19,7 @@
- ## NOTE:
- ## 1) if this is being used on a 32 bit machine, comment out the b64 lines
- ## 2) These rules assume that login under the root account is not allowed.
--## 3) It is also assumed that 500 represents the first usable user account. To
-+## 3) It is also assumed that 1000 represents the first usable user account. To
- ## be sure, look at UID_MIN in /etc/login.defs.
- ## 4) If these rules generate too much spurious data for your tastes, limit the
- ## the syscall file rules with a directory, like -F dir=/etc
-@@ -106,22 +106,22 @@
-
- ##- Discretionary access control permission modification (unsuccessful
- ## and successful use of chown/chmod)
---a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
---a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
---a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
---a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=500 -F auid!=4294967295 -F key=perm_mod
---a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod
---a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=500 -F auid!=4294967295 -F key=perm_mod
-+-a always,exit -F arch=b32 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-+-a always,exit -F arch=b64 -S chmod,fchmod,fchmodat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-+-a always,exit -F arch=b32 -S lchown,fchown,chown,fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-+-a always,exit -F arch=b64 -S chown,fchown,lchown,fchownat -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-+-a always,exit -F arch=b32 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-+-a always,exit -F arch=b64 -S setxattr,lsetxattr,fsetxattr,removexattr,lremovexattr,fremovexattr -F auid>=1000 -F auid!=4294967295 -F key=perm_mod
-
- ##- Unauthorized access attempts to files (unsuccessful)
---a always,exit -F arch=b32 -S open,creat,truncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=access
---a always,exit -F arch=b32 -S open,creat,truncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=access
---a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=500 -F auid!=4294967295 -F key=access
---a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=500 -F auid!=4294967295 -F key=access
-+-a always,exit -F arch=b32 -S open,creat,truncate,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-+-a always,exit -F arch=b32 -S open,creat,truncate,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-+-a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F exit=-EACCES -F auid>=1000 -F auid!=4294967295 -F key=access
-+-a always,exit -F arch=b64 -S open,truncate,creat,openat,open_by_handle_at -F exit=-EPERM -F auid>=1000 -F auid!=4294967295 -F key=access
-
- ##- Use of privileged commands (unsuccessful and successful)
- ## use find /bin -type f -perm -04000 2>/dev/null and put all those files in a rule like this
---a always,exit -F path=/bin/ping -F perm=x -F auid>=500 -F auid!=4294967295 -F key=privileged
-+-a always,exit -F path=/bin/ping -F perm=x -F auid>=1000 -F auid!=4294967295 -F key=privileged
-
- ##- Use of print command (unsuccessful and successful)
-
-@@ -129,14 +129,14 @@
- ## You have to mount media before using it. You must disable all automounting
- ## so that its done manually in order to get the correct user requesting the
- ## export
---a always,exit -F arch=b32 -S mount -F auid>=500 -F auid!=4294967295 -F key=export
---a always,exit -F arch=b64 -S mount -F auid>=500 -F auid!=4294967295 -F key=export
-+-a always,exit -F arch=b32 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export
-+-a always,exit -F arch=b64 -S mount -F auid>=1000 -F auid!=4294967295 -F key=export
-
- ##- System startup and shutdown (unsuccessful and successful)
-
- ##- Files and programs deleted by the user (successful and unsuccessful)
---a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -F key=delete
---a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=500 -F auid!=4294967295 -F key=delete
-+-a always,exit -F arch=b32 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete
-+-a always,exit -F arch=b64 -S unlink,unlinkat,rename,renameat -F auid>=1000 -F auid!=4294967295 -F key=delete
-
- ##- All system administration actions
- ##- All security personnel actions
-@@ -175,7 +175,7 @@
- #-a always,exit -F arch=b64 -S delete_module -F key=module-unload
-
- ## Optional - admin may be abusing power by looking in user's home dir
--#-a always,exit -F dir=/home -F uid=0 -F auid>=500 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
-+#-a always,exit -F dir=/home -F uid=0 -F auid>=1000 -F auid!=4294967295 -C auid!=obj_uid -F key=power-abuse
-
- ## Optional - log container creation
- #-a always,exit -F arch=b32 -S clone -F a0&0x7C020000 -F key=container-create
-diff -ur audit-2.4.1.orig/docs/audit.rules.7 audit-2.4.1/docs/audit.rules.7
---- audit-2.4.1.orig/docs/audit.rules.7 2014-10-27 16:54:03.000000000 -0400
-+++ audit-2.4.1/docs/audit.rules.7 2014-10-28 14:23:00.014833616 -0400
-@@ -76,10 +76,10 @@
- .B \-F
- options that fine tune what to match against. Rather than list all the valid field types here, the reader should look at the auditctl man page which has a full listing of each field and what it means. But its worth mentioning a couple things.
-
--The audit system considers uids to be unsigned numbers. The audit system uses the number \-1 to indicate that a loginuid is not set. This means that when its printed out, it looks like 4294967295. If you write a rule that you wanted try to get the valid users of the system, you need to look in /etc/login.defs to see where user accounts start. For example, if UID_MIN is 500, then you would also need to take into account that the unsigned representation of \-1 is higher than 500. So you would address this with the following piece of a rule:
-+The audit system considers uids to be unsigned numbers. The audit system uses the number \-1 to indicate that a loginuid is not set. This means that when its printed out, it looks like 4294967295. If you write a rule that you wanted try to get the valid users of the system, you need to look in /etc/login.defs to see where user accounts start. For example, if UID_MIN is 1000, then you would also need to take into account that the unsigned representation of \-1 is higher than 1000. So you would address this with the following piece of a rule:
-
- .nf
--\-F auid>=500 \-F auid!=4294967295
-+\-F auid>=1000 \-F auid!=4294967295
- .fi
-
- These individual checks are "anded" and both have to be true.
diff --git a/SOURCES/audit-2.4.2-ipsec.patch b/SOURCES/audit-2.4.2-ipsec.patch
deleted file mode 100644
index f77316b..0000000
--- a/SOURCES/audit-2.4.2-ipsec.patch
+++ /dev/null
@@ -1,26 +0,0 @@
-diff -urp audit-2.4.1.orig/lib/libaudit.h audit-2.4.1/lib/libaudit.h
---- audit-2.4.1.orig/lib/libaudit.h 2014-10-27 16:54:03.000000000 -0400
-+++ audit-2.4.1/lib/libaudit.h 2014-12-16 13:37:12.798853979 -0500
-@@ -200,6 +200,10 @@ extern "C" {
- #define AUDIT_CRYPTO_REPLAY_USER 2406 /* Crypto replay detected */
- #define AUDIT_CRYPTO_SESSION 2407 /* Record parameters set during
- TLS session establishment */
-+#define AUDIT_CRYPTO_IKE_SA 2408 /* Record parameters related to
-+ IKE SA */
-+#define AUDIT_CRYPTO_IPSEC_SA 2409 /* Record parameters related to
-+ IPSEC SA */
-
- #define AUDIT_LAST_CRYPTO_MSG 2499
-
-diff -urp audit-2.4.1.orig/lib/msg_typetab.h audit-2.4.1/lib/msg_typetab.h
---- audit-2.4.1.orig/lib/msg_typetab.h 2014-10-27 16:54:03.000000000 -0400
-+++ audit-2.4.1/lib/msg_typetab.h 2014-12-16 13:37:12.798853979 -0500
-@@ -205,6 +205,8 @@ _S(AUDIT_CRYPTO_KEY_USER, "CR
- _S(AUDIT_CRYPTO_FAILURE_USER, "CRYPTO_FAILURE_USER" )
- _S(AUDIT_CRYPTO_REPLAY_USER, "CRYPTO_REPLAY_USER" )
- _S(AUDIT_CRYPTO_SESSION, "CRYPTO_SESSION" )
-+_S(AUDIT_CRYPTO_IKE_SA, "CRYPTO_IKE_SA" )
-+_S(AUDIT_CRYPTO_IPSEC_SA, "CRYPTO_IPSEC_SA" )
- _S(AUDIT_VIRT_CONTROL, "VIRT_CONTROL" )
- _S(AUDIT_VIRT_RESOURCE, "VIRT_RESOURCE" )
- _S(AUDIT_VIRT_MACHINE_ID, "VIRT_MACHINE_ID" )
diff --git a/SOURCES/audit-2.4.2-ppc-machine.patch b/SOURCES/audit-2.4.2-ppc-machine.patch
deleted file mode 100644
index b431900..0000000
--- a/SOURCES/audit-2.4.2-ppc-machine.patch
+++ /dev/null
@@ -1,21 +0,0 @@
-Index: /trunk/lib/libaudit.c
-===================================================================
---- /trunk/lib/libaudit.c (revision 1065)
-+++ /trunk/lib/libaudit.c (revision 1066)
-@@ -1214,12 +1214,8 @@
- break;
- #endif
-- case MACH_PPC64LE:
-- if (bits != __AUDIT_ARCH_64BIT)
-- return -6;
-- break;
--
-- case MACH_86_64: /* fallthrough */
-- case MACH_PPC64: /* fallthrough */
-- case MACH_S390X: /* fallthrough */
-+ case MACH_86_64: /* fallthrough */
-+ case MACH_PPC64: /* fallthrough */
-+ case MACH_PPC64LE: /* fallthrough */
-+ case MACH_S390X: /* fallthrough */
- break;
- default:
diff --git a/SOURCES/audit-2.6.5-autrace.patch b/SOURCES/audit-2.6.5-autrace.patch
new file mode 100644
index 0000000..8b513ed
--- /dev/null
+++ b/SOURCES/audit-2.6.5-autrace.patch
@@ -0,0 +1,37 @@
+diff -urp audit-2.6.5.orig/src/autrace.c audit-2.6.5/src/autrace.c
+--- audit-2.6.5.orig/src/autrace.c 2016-07-13 12:14:36.000000000 -0400
++++ audit-2.6.5/src/autrace.c 2016-07-22 10:41:41.221461110 -0400
+@@ -298,18 +298,19 @@ static int count_em(int fd)
+ FD_SET(fd, &read_mask);
+
+ for (i = 0; i < timeout; i++) {
++ struct timeval t;
++
++ t.tv_sec = 0;
++ t.tv_usec = 100000; /* .1 second */
+ retval = audit_get_reply(fd, &rep, GET_REPLY_NONBLOCKING, 0);
+ if (retval > 0) {
+- struct timeval t;
+-
+ if (rep.type == NLMSG_ERROR &&
+ rep.error->error == 0)
+ continue;
+- t.tv_sec = 0;
+- t.tv_usec = 100000; /* .1 second */
+ do {
+ retval=select(fd+1, &read_mask, NULL, NULL, &t);
+ } while (retval < 0 && errno == EINTR);
++
+ switch (rep.type)
+ {
+ case NLMSG_DONE:
+@@ -323,7 +324,8 @@ static int count_em(int fd)
+ default:
+ break;
+ }
+- }
++ } else if (errno == EAGAIN) // Take short delay
++ retval = select(fd+1, &read_mask, NULL, NULL, &t);
+ }
+ if (i >= timeout && count == 0)
+ count = -1;
diff --git a/SOURCES/audit-2.6.5-directory-permissions.patch b/SOURCES/audit-2.6.5-directory-permissions.patch
new file mode 100644
index 0000000..c439c27
--- /dev/null
+++ b/SOURCES/audit-2.6.5-directory-permissions.patch
@@ -0,0 +1,12 @@
+diff -urp audit-2.6.5.orig/src/auditd-event.c audit-2.6.5/src/auditd-event.c
+--- audit-2.6.5.orig/src/auditd-event.c 2016-07-13 12:14:36.000000000 -0400
++++ audit-2.6.5/src/auditd-event.c 2016-07-22 10:37:45.468455518 -0400
+@@ -900,7 +900,7 @@ static void fix_disk_permissions(void)
+ // Start with the directory
+ strcpy(path, config->log_file);
+ dir = dirname(path);
+- chmod(dir, config->log_group ? S_IRWXU|S_IRWXG : S_IRWXU);
++ chmod(dir, config->log_group ? S_IRWXU|S_IRGRP|S_IXGRP : S_IRWXU);
+ chown(dir, 0, config->log_group ? config->log_group : 0);
+
+ // Now, for each file...
diff --git a/SOURCES/audit-2.6.7-augenrules.patch b/SOURCES/audit-2.6.7-augenrules.patch
new file mode 100644
index 0000000..41b0cdb
--- /dev/null
+++ b/SOURCES/audit-2.6.7-augenrules.patch
@@ -0,0 +1,15 @@
+diff -urp audit-2.6.5.orig/init.d/augenrules audit-2.6.5/init.d/augenrules
+--- audit-2.6.5.orig/init.d/augenrules 2016-07-14 10:25:39.000000000 -0400
++++ audit-2.6.5/init.d/augenrules 2016-08-10 09:21:51.018391054 -0400
+@@ -125,6 +125,11 @@ if [ -f ${DestinationFile} ]; then
+ fi
+ # We copy the file so that it gets the right selinux lable
+ cp ${TmpRules} ${DestinationFile}
++chmod 0640 ${DestinationFile}
++# Restore context on MLS system. /tmp is SystemLow & audit.rules is SystemHigh
++if [ -x /usr/sbin/restorecon ] ; then
++ /usr/sbin/restorecon -F ${DestinationFile}
++fi
+ rm -f ${TmpRules}
+
+ try_load
diff --git a/SOURCES/audit-2.6.7-log-perms.patch b/SOURCES/audit-2.6.7-log-perms.patch
new file mode 100644
index 0000000..b3852b2
--- /dev/null
+++ b/SOURCES/audit-2.6.7-log-perms.patch
@@ -0,0 +1,13 @@
+diff -urp audit-2.6.5.orig/src/auditd-event.c audit-2.6.5/src/auditd-event.c
+--- audit-2.6.5.orig/src/auditd-event.c 2016-07-14 10:25:39.000000000 -0400
++++ audit-2.6.5/src/auditd-event.c 2016-08-10 09:24:41.450386810 -0400
+@@ -907,8 +907,7 @@ static void fix_disk_permissions(void)
+ for (i = 1; i < config->num_logs; i++) {
+ int rc;
+ snprintf(path, len, "%s.%d", config->log_file, i);
+- rc = chmod(path, config->log_group ? S_IWUSR|S_IRUSR|S_IRGRP :
+- S_IWUSR|S_IRUSR);
++ rc = chmod(path, config->log_group ? S_IRUSR|S_IRGRP : S_IRUSR);
+ if (rc && errno == ENOENT)
+ break;
+ }
diff --git a/SOURCES/audit-2.6.7-syslog.patch b/SOURCES/audit-2.6.7-syslog.patch
new file mode 100644
index 0000000..cc664ea
--- /dev/null
+++ b/SOURCES/audit-2.6.7-syslog.patch
@@ -0,0 +1,54 @@
+diff -urp audit-2.6.7/audisp/audispd-builtins.c audit-2.6.7.orig/audisp/audispd-builtins.c
+--- audit-2.6.7/audisp/audispd-builtins.c 2016-08-02 11:55:31.000000000 -0400
++++ audit-2.6.7.orig/audisp/audispd-builtins.c 2016-08-09 12:32:54.524964714 -0400
+@@ -327,10 +327,24 @@ static void init_syslog(const plugin_con
+ syslog_started = 1;
+ }
+
+-void send_syslog(const char *s)
++void send_syslog(const char *s, uint32_t ver)
+ {
+- if (syslog_started)
++ if (syslog_started) {
++ if (ver == AUDISP_PROTOCOL_VER2) {
++ char *ptr = strdup(s);
++ if (ptr) {
++ char *c = strchr(ptr, AUDIT_INTERP_SEPARATOR);
++ if (c)
++ *c = ' ';
++ syslog(priority, "%s", ptr);
++ free(ptr);
++ return;
++ }
++ }
++ // Everything should fall through except success because
++ // something is better than nothing.
+ syslog(priority, "%s", s);
++ }
+ }
+
+ void destroy_syslog(void)
+diff -urp audit-2.6.7/audisp/audispd-builtins.h audit-2.6.7.orig/audisp/audispd-builtins.h
+--- audit-2.6.7/audisp/audispd-builtins.h 2016-08-02 11:55:31.000000000 -0400
++++ audit-2.6.7.orig/audisp/audispd-builtins.h 2016-08-09 12:25:38.274976900 -0400
+@@ -31,7 +31,7 @@ void stop_builtin(plugin_conf_t *conf);
+ void send_af_unix_string(const char *s, unsigned int len);
+ void send_af_unix_binary(event_t *e);
+ void destroy_af_unix(void);
+-void send_syslog(const char *s);
++void send_syslog(const char *s, uint32_t ver);
+ void destroy_syslog(void);
+
+ typedef void (*poll_callback_ptr)(int fd);
+diff -urp audit-2.6.7/audisp/audispd.c audit-2.6.7.orig/audisp/audispd.c
+--- audit-2.6.7/audisp/audispd.c 2016-08-02 11:55:31.000000000 -0400
++++ audit-2.6.7.orig/audisp/audispd.c 2016-08-09 12:25:06.357977791 -0400
+@@ -684,7 +684,7 @@ static int event_loop(void)
+
+ /* Now send the event to the right child */
+ if (conf->p->type == S_SYSLOG)
+- send_syslog(v);
++ send_syslog(v, e->hdr.ver);
+ else if (conf->p->type == S_AF_UNIX) {
+ if (conf->p->format == F_STRING)
+ send_af_unix_string(v, len);
diff --git a/SPECS/audit.spec b/SPECS/audit.spec
index 229bee2..cfb38d3 100644
--- a/SPECS/audit.spec
+++ b/SPECS/audit.spec
@@ -1,37 +1,32 @@
%{!?python_sitearch: %define python_sitearch %(%{__python} -c "from distutils.sysconfig import get_python_lib; print get_python_lib(1)")}
-# Do we want systemd?
-%define WITH_SYSTEMD 1
-
Summary: User space tools for 2.6 kernel auditing
Name: audit
-Version: 2.4.1
-Release: 5%{?dist}
+Version: 2.6.5
+Release: 3%{?dist}
License: GPLv2+
Group: System Environment/Daemons
URL: http://people.redhat.com/sgrubb/audit/
Source0: http://people.redhat.com/sgrubb/audit/%{name}-%{version}.tar.gz
-# Default to using augenrules to create audit.rules
-Patch1: audit-2.3.3-augenrules.patch
-# Adjust beginning user id's to 1000
-Patch2: audit-2.4.1-uid-1000.patch
-# Add 2 ipsec related events
-Patch3: audit-2.4.2-ipsec.patch
-# Fix detection of audit elf type when ppc64le is specified in a rule
-Patch4: audit-2.4.2-ppc-machine.patch
+# bz 1358831 - group ownership and permissions of /var/log/audit
+Patch1: audit-2.6.5-directory-permissions.patch
+# bz 1358775 - autrace: Error - can't get rule count
+Patch2: audit-2.6.5-autrace.patch
+# bz 1362582 - regenerated audit.rules context and permissions changed
+Patch3: audit-2.6.7-augenrules.patch
+Patch4: audit-2.6.7-log-perms.patch
+Patch5: audit-2.6.7-syslog.patch
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
-BuildRequires: swig python-devel
+BuildRequires: openldap-devel
+BuildRequires: swig
+BuildRequires: python-devel
BuildRequires: tcp_wrappers-devel krb5-devel libcap-ng-devel
BuildRequires: kernel-headers >= 2.6.29
-Requires: %{name}-libs = %{version}-%{release}
-%if %{WITH_SYSTEMD}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
BuildRequires: systemd-units
Requires(post): systemd-units systemd-sysv chkconfig coreutils
Requires(preun): systemd-units
Requires(postun): systemd-units coreutils
-%else
-Requires: chkconfig
-%endif
%description
The audit package contains the user space utilities for
@@ -51,7 +46,7 @@ applications to use the audit framework.
Summary: Header files for libaudit
License: LGPLv2+
Group: Development/Libraries
-Requires: %{name}-libs = %{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: kernel-headers >= 2.6.29
%description libs-devel
@@ -73,7 +68,7 @@ framework libraries
Summary: Python bindings for libaudit
License: LGPLv2+
Group: Development/Libraries
-Requires: %{name}-libs = %{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%description libs-python
The audit-libs-python package contains the bindings so that libaudit
@@ -83,9 +78,8 @@ and libauparse can be used by python.
Summary: Plugins for the audit event dispatcher
License: GPLv2+
Group: System Environment/Daemons
-BuildRequires: openldap-devel
Requires: %{name} = %{version}-%{release}
-Requires: %{name}-libs = %{version}-%{release}
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
Requires: openldap
%description -n audispd-plugins
@@ -96,34 +90,25 @@ behavior.
%prep
%setup -q
-# augenrules
%patch1 -p1
-# uid 1000
%patch2 -p1
-# Add ipsec audit events
%patch3 -p1
-# Fix ppc64le elf type translation
-%patch4 -p2
+%patch4 -p1
+%patch5 -p1
%build
%configure --sbindir=/sbin --libdir=/%{_lib} --with-python=yes --with-libwrap --enable-gssapi-krb5=yes --with-libcap-ng=yes --with-arm --with-aarch64 \
---without-golang \
-%if %{WITH_SYSTEMD}
- --enable-systemd
-%endif
+--without-golang --enable-zos-remote --enable-systemd
-make %{?_smp_mflags}
+make CFLAGS="%{optflags}" %{?_smp_mflags}
%install
rm -rf $RPM_BUILD_ROOT
-mkdir -p $RPM_BUILD_ROOT/{sbin,etc/audispd/plugins.d}
-%if !%{WITH_SYSTEMD}
-mkdir -p $RPM_BUILD_ROOT/{etc/{sysconfig,rc.d/init.d}}
-%endif
+mkdir -p $RPM_BUILD_ROOT/{sbin,etc/audispd/plugins.d,etc/audit/rules.d}
mkdir -p $RPM_BUILD_ROOT/%{_mandir}/{man5,man8}
mkdir -p $RPM_BUILD_ROOT/%{_lib}
mkdir -p $RPM_BUILD_ROOT/%{_libdir}/audit
-mkdir -p $RPM_BUILD_ROOT/%{_var}/log/audit
+mkdir -p --mode=0700 $RPM_BUILD_ROOT/%{_var}/log/audit
mkdir -p $RPM_BUILD_ROOT/%{_var}/spool/audit
make DESTDIR=$RPM_BUILD_ROOT install
@@ -141,14 +126,9 @@ cd $curdir
# Remove these items so they don't get picked up.
rm -f $RPM_BUILD_ROOT/%{_lib}/libaudit.so
rm -f $RPM_BUILD_ROOT/%{_lib}/libauparse.so
-rm -f $RPM_BUILD_ROOT/%{_lib}/libaudit.la
-rm -f $RPM_BUILD_ROOT/%{_lib}/libauparse.la
-rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/_audit.a
-rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/_audit.la
-rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/_auparse.a
-rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/_auparse.la
-rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/auparse.a
-rm -f $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages/auparse.la
+
+find $RPM_BUILD_ROOT -name '*.la' -delete
+find $RPM_BUILD_ROOT/%{_libdir}/python?.?/site-packages -name '*.a' -delete
# Move the pkgconfig file
mv $RPM_BUILD_ROOT/%{_lib}/pkgconfig $RPM_BUILD_ROOT%{_libdir}
@@ -157,10 +137,13 @@ mv $RPM_BUILD_ROOT/%{_lib}/pkgconfig $RPM_BUILD_ROOT%{_libdir}
touch -r ./audit.spec $RPM_BUILD_ROOT/etc/libaudit.conf
touch -r ./audit.spec $RPM_BUILD_ROOT/usr/share/man/man5/libaudit.conf.5.gz
-%ifnarch aarch64 ppc %{power64} s390 s390x %{ix86}
%check
+%ifnarch aarch64 ppc %{power64} s390 s390x %{ix86}
make check
%endif
+# Get rid of make files that they don't get packaged.
+rm -f rules/Makefile*
+
%clean
rm -rf $RPM_BUILD_ROOT
@@ -169,24 +152,19 @@ rm -rf $RPM_BUILD_ROOT
%post
# Copy default rules into place on new installation
-if [ ! -e /etc/audit/audit.rules ] ; then
- cp /etc/audit/rules.d/audit.rules /etc/audit/audit.rules
+files=`ls /etc/audit/rules.d/ 2>/dev/null | wc -w`
+if [ "$files" -eq 0 ] ; then
+ if [ -e /usr/share/doc/audit/rules/10-base-config.rules ] ; then
+ cp /usr/share/doc/audit/rules/10-base-config.rules /etc/audit/rules.d/audit.rules
+ else
+ touch /etc/audit/rules.d/audit.rules
+ fi
+ chmod 0600 /etc/audit/rules.d/audit.rules
fi
-%if %{WITH_SYSTEMD}
%systemd_post auditd.service
-%else
-/sbin/chkconfig --add auditd
-%endif
%preun
-%if %{WITH_SYSTEMD}
%systemd_preun auditd.service
-%else
-if [ $1 -eq 0 ]; then
- /sbin/service auditd stop > /dev/null 2>&1
- /sbin/chkconfig --del auditd
-fi
-%endif
%postun libs -p /sbin/ldconfig
@@ -210,7 +188,9 @@ fi
%{_includedir}/libaudit.h
%{_includedir}/auparse.h
%{_includedir}/auparse-defs.h
+%{_datadir}/aclocal/audit.m4
%{_libdir}/pkgconfig/audit.pc
+%{_libdir}/pkgconfig/auparse.pc
%{_mandir}/man3/*
%files libs-static
@@ -226,7 +206,7 @@ fi
%files
%defattr(-,root,root,-)
-%doc README COPYING ChangeLog contrib/capp.rules contrib/nispom.rules contrib/lspp.rules contrib/stig.rules init.d/auditd.cron
+%doc README COPYING ChangeLog rules init.d/auditd.cron
%attr(644,root,root) %{_mandir}/man8/audispd.8.gz
%attr(644,root,root) %{_mandir}/man8/auditctl.8.gz
%attr(644,root,root) %{_mandir}/man8/auditd.8.gz
@@ -242,8 +222,8 @@ fi
%attr(644,root,root) %{_mandir}/man5/auditd.conf.5.gz
%attr(644,root,root) %{_mandir}/man5/audispd.conf.5.gz
%attr(644,root,root) %{_mandir}/man5/ausearch-expression.5.gz
-%attr(750,root,root) /sbin/auditctl
-%attr(750,root,root) /sbin/auditd
+%attr(755,root,root) /sbin/auditctl
+%attr(755,root,root) /sbin/auditd
%attr(755,root,root) /sbin/ausearch
%attr(755,root,root) /sbin/aureport
%attr(750,root,root) /sbin/autrace
@@ -253,25 +233,22 @@ fi
%attr(755,root,root) %{_bindir}/aulastlog
%attr(755,root,root) %{_bindir}/ausyscall
%attr(755,root,root) %{_bindir}/auvirt
-%if %{WITH_SYSTEMD}
-%attr(640,root,root) %{_unitdir}/auditd.service
+%attr(644,root,root) %{_unitdir}/auditd.service
%attr(750,root,root) %dir %{_libexecdir}/initscripts/legacy-actions/auditd
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/resume
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/rotate
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/stop
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/restart
%attr(750,root,root) %{_libexecdir}/initscripts/legacy-actions/auditd/condrestart
-%else
-%attr(755,root,root) /etc/rc.d/init.d/auditd
-%config(noreplace) %attr(640,root,root) /etc/sysconfig/auditd
-%endif
-%attr(750,root,root) %dir %{_var}/log/audit
+%attr(-,root,-) %dir %{_var}/log/audit
%attr(750,root,root) %dir /etc/audit
%attr(750,root,root) %dir /etc/audit/rules.d
%attr(750,root,root) %dir /etc/audisp
%attr(750,root,root) %dir /etc/audisp/plugins.d
%config(noreplace) %attr(640,root,root) /etc/audit/auditd.conf
-%config(noreplace) %attr(640,root,root) /etc/audit/rules.d/audit.rules
+%ghost %config(noreplace) %attr(640,root,root) /etc/audit/rules.d/audit.rules
+%ghost %config(noreplace) %attr(640,root,root) /etc/audit/audit.rules
+%config(noreplace) %attr(640,root,root) /etc/audit/audit-stop.rules
%config(noreplace) %attr(640,root,root) /etc/audisp/audispd.conf
%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/af_unix.conf
%config(noreplace) %attr(640,root,root) /etc/audisp/plugins.d/syslog.conf
@@ -291,6 +268,9 @@ fi
%attr(644,root,root) %{_mandir}/man8/audisp-remote.8.gz
%changelog
+* Wed Aug 10 2016 Steve Grubb <sgrubb@redhat.com> 2.6.5-3
+resolves: #1296204 - Rebase audit package
+
* Wed Jan 14 2015 Steve Grubb <sgrubb@redhat.com> 2.4.1-5
resolves: #1180675 - rules with "-F arch=ppc64le" fail to load