Instead of just forking, we fork() anaconda and then execv our custom
audit daemon. This saves us an extra anaconda process running permanently,
taking memory.
Related: rhbz#549653
---
anaconda | 14 +++++++++++++-
isys/Makefile.am | 6 ++++++
isys/auditd.c | 11 +++++------
scripts/mk-images | 2 ++
4 files changed, 26 insertions(+), 7 deletions(-)
diff --git a/anaconda b/anaconda
index 20ae4a0..e85a70a 100755
--- a/anaconda
+++ b/anaconda
@@ -60,6 +60,18 @@ def startMetacityWM():
sys.exit(0)
return childpid
+def startAuditDaemon():
+ childpid = os.fork()
+ if not childpid:
+ cmd = '/sbin/auditd'
+ try:
+ os.execl(cmd, cmd)
+ except OSError as e:
+ log.error("Error running the audit daemon: %s" % str(e))
+ sys.exit(0)
+ # auditd will turn into a daemon so catch the immediate child pid now:
+ os.waitpid(childpid, 0)
+
# function to handle X startup special issues for anaconda
def doStartupX11Actions(runres="800x600"):
global wm_pid
@@ -760,7 +772,7 @@ if __name__ == "__main__":
opts.isHeadless = True
if not flags.livecdInstall:
- isys.auditDaemon()
+ startAuditDaemon()
# setup links required for all install types
for i in ( "services", "protocols", "nsswitch.conf", "joe", "selinux",
diff --git a/isys/Makefile.am b/isys/Makefile.am
index f7c076a..415a0b5 100644
--- a/isys/Makefile.am
+++ b/isys/Makefile.am
@@ -52,4 +52,10 @@ libisys_la_LDFLAGS = -static
libisys_la_LIBADD = $(ISYS_LIBS)
libisys_la_SOURCES = $(ISYS_SRCS)
+auditddir = $(libdir)/$(PACKAGE_NAME)-runtime
+auditd_PROGRAMS = auditd
+auditd_SOURCES = auditd.c
+auditd_CFLAGS = -DSTANDALONE $(SELINUX_CFLAGS)
+auditd_LDADD = $(SELINUX_LIBS) $(LIBNL_LIBS)
+
MAINTAINERCLEANFILES = Makefile.in
diff --git a/isys/auditd.c b/isys/auditd.c
index 8eef4f3..2ca6d04 100644
--- a/isys/auditd.c
+++ b/isys/auditd.c
@@ -94,32 +94,31 @@ static void do_auditd(int fd) {
int audit_daemonize(void) {
#ifdef USESELINUX
int fd;
-#ifndef STANDALONE
- int i;
pid_t child;
-
+ int i;
if ((child = fork()) > 0)
return 0;
+#ifndef STANDALONE
for (i = 0; i < getdtablesize(); i++)
close(i);
-
signal(SIGTTOU, SIG_IGN);
signal(SIGTTIN, SIG_IGN);
signal(SIGTSTP, SIG_IGN);
+#endif /* !defined(STANDALONE) */
if ((fd = open("/proc/self/oom_adj", O_RDWR)) >= 0) {
i = write(fd, "-17", 3);
close(fd);
}
-
-#endif /* !defined(STANDALONE) */
fd = audit_open();
do_auditd(fd);
audit_close(fd);
+
#ifndef STANDALONE
exit(0);
#endif /* !defined(STANDALONE) */
+
#endif /* USESELINUX */
return 0;
}
diff --git a/scripts/mk-images b/scripts/mk-images
index bf76ce3..d55f110 100755
--- a/scripts/mk-images
+++ b/scripts/mk-images
@@ -163,6 +163,7 @@ GETKEYMAPS=$IMGPATH/usr/lib/anaconda-runtime/getkeymaps
GENINITRDSZ=$IMGPATH/usr/lib/anaconda-runtime/geninitrdsz
MKS390CDBOOT=$IMGPATH/usr/lib/anaconda-runtime/mk-s390-cdboot
GENMODINFO=$IMGPATH/usr/lib/anaconda-runtime/genmodinfo
+LIBEXECBINDIR=$IMGPATH/usr/lib/anaconda-runtime
KEYMAPS=$TMPDIR/keymaps-$BUILDARCH.$$
SCREENFONT=$IMGPATH/usr/lib/anaconda-runtime/screenfont-${BASEARCH}.gz
MODLIST=$IMGPATH/usr/lib/anaconda-runtime/modlist
@@ -667,6 +668,7 @@ makeinitrd() {
instbin $IMGPATH /usr/sbin/dasdfmt $MBD_DIR /sbin/dasdfmt
cp -a $IMGPATH/usr/sbin/*_cio_free $MBD_DIR/sbin
fi
+ instbin $IMGPATH ${LIBEXECBINDIR##$IMGPATH}/auditd $MBD_DIR /sbin/auditd
if [ "$BUILDARCH" != "s390" -a "$BUILDARCH" != "s390x" ]; then
install -m 644 $KEYMAPS $MBD_DIR/etc/keymaps.gz
--
1.6.6
_______________________________________________
Anaconda-devel-list mailing list
Anaconda-devel-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/anaconda-devel-list
