please enable CONFIG_AUDIT_LOGINUID_IMMUTABLE
Eric Paris
eparis at redhat.com
Mon Feb 18 18:32:56 UTC 2013
On Mon, 2013-02-18 at 13:15 -0500, Josh Boyer wrote:
> On Mon, Feb 18, 2013 at 06:07:08PM +0100, Michal Schmidt wrote:
> > Hello Fedora kernel maintainers,
> >
> > please consider setting CONFIG_AUDIT_LOGINUID_IMMUTABLE=y for F19.
> >
> > It brings a security benefit and should be safe to turn on since
> > we're using systemd to start services.
>
> Refresh my memory please. Are we using systemd to start 100% of the
> services provided in Fedora? I seem to recall there are still a number
> of packages not using/providing systemd unit files. Would enabling this
> cause them to get weird EPERM errors?
>
> Is there a simple thing to check for aside from EPERM if issues from
> this do pop up?
Daemons with a config requiring pam_lognuid.so will be unable to work if
they are launched by a logged in admin as opposed to systemd. Obvious
work around is to change the pam config.
Login daemons launched by sysinit at boot will work.
Login daemons launched by systemd will work.
Login daemons launched by sysint from a logged in admin will fail.
Make sense?
I'm not sure what pam spews into the logs...
More information about the kernel
mailing list