From 770e4f538103f8a055f46c04a9e2514f88f175c3 Mon Sep 17 00:00:00 2001
From: Steve Grubb <sgrubb@redhat.com>
Date: Mon, 1 Nov 2021 08:29:56 -0400
Subject: [PATCH 2244/2246] In auditd, close the logging file descriptor when
 logging is suspended

---
 src/auditd-event.c | 21 +++++++++++++++++++++
 1 file changed, 21 insertions(+)

diff --git a/src/auditd-event.c b/src/auditd-event.c
index 4a0a351..e88ef6e 100644
--- a/src/auditd-event.c
+++ b/src/auditd-event.c
@@ -861,6 +861,13 @@ static void do_space_left_action(int admin)
 		case FA_SUSPEND:
 			audit_msg(LOG_ALERT,
 			    "Audit daemon is suspending logging due to low disk space.");
+			// We need to close the file so that manual
+			// intervention can move or delete the file. We
+			// don't want to keep logging to a deleted file.
+			if (log_file)
+				fclose(log_file);
+			log_file = NULL;
+			log_fd = -1;
 			logging_suspended = 1;
 			break;
 		case FA_SINGLE:
@@ -909,6 +916,13 @@ static void do_disk_full_action(void)
 		case FA_SUSPEND:
 			audit_msg(LOG_ALERT,
 			    "Audit daemon is suspending logging due to no space left on logging partition.");
+			// We need to close the file so that manual
+			// intervention can move or delete the file. We
+			// don't want to keep logging to a deleted file.
+			if (log_file)
+				fclose(log_file);
+			log_file = NULL;
+			log_fd = -1;
 			logging_suspended = 1;
 			break;
 		case FA_SINGLE:
@@ -957,6 +971,13 @@ static void do_disk_error_action(const char *func, int err)
 		case FA_SUSPEND:
 			audit_msg(LOG_ALERT,
 			    "Audit daemon is suspending logging due to previously mentioned write error");
+			// We need to close the file so that manual
+			// intervention can move or delete the file. We
+			// don't want to keep logging to a deleted file.
+			if (log_file)
+				fclose(log_file);
+			log_file = NULL;
+			log_fd = -1;
 			logging_suspended = 1;
 			break;
 		case FA_SINGLE:
-- 
1.8.3.1