Hello, On Thursday, September 15, 2022 8:11:39 AM EDT Vladimir Slavik wrote: > while trying to make sense of the remaining C bits in anaconda, I found > that we actually have a mock auditd, which does nothing and replaces the > real auditd on boot.iso, via lorax templates. > > Now I'm trying to understand why. Is it because it writes too much to > journal? Is it because it takes 90 MB memory? Something else? > > Steve, Brian - would you know? > > PS: https://github.com/rhinstaller/anaconda/pull/4331 - moving it from the > python module directory where it was hiding. I would guess that they are trying to prevent hardwired audit events from going into the install logs. If you boot with audit=0, you wouldn't need a mock auditd because auditing is disabled...except that systemd-journald blindly enables auditing. Maybe they fixed it to respect the command line by now, I don't know. Another item, and maybe this is the reason, if there is no auditd, selinux sends AVC's to syslog. So, maybe it's to suppress AVC's? I'd suggest booting with audit=0. If you get any events in your logs, you can probably replace auditd with a python variant. Libaudit has python bindings. It is not well tested for handling audit events. But it is used by semanage and some other python programs. -Steve _______________________________________________ Anaconda-devel mailing list -- anaconda-devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to anaconda-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/anaconda-devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue