[Anaconda-devel] Re: auditd replacement in installer environment

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]



On Tuesday, September 20, 2022 6:36:12 AM EDT Jiri Konecny wrote:
> I wonder, couldn't we add `audit=0` to the initrd or enable it in the
> initrd by our dracut modules? I think that would be better solution that
> having a code to drop messages.

Journald automatically enables the audit subsystem no matter what the end 
user desires. If you could get them to obey the command line, it might be the 
best solution. But also...in the absence of auditd, SELinux sends AVC's to 
syslog. I don't know if that is a problem.


> Dne 15. 09. 22 v 17:31 Brian C. Lane napsal(a):
> > On Thu, Sep 15, 2022 at 10:20:04AM -0400, Steve Grubb wrote:
> >> Hello,
> >> 
> >> On Thursday, September 15, 2022 8:11:39 AM EDT Vladimir Slavik wrote:
> >>> while trying to make sense of the remaining C bits in anaconda, I found
> >>> that we actually have a mock auditd, which does nothing and replaces
> >>> the
> >>> real auditd on boot.iso, via lorax templates.
> >>> 
> >>> Now I'm trying to understand why. Is it because it writes too much to
> >>> journal? Is it because it takes 90 MB memory? Something else?
> >>> 
> >>> Steve, Brian - would you know?
> >>> 
> >>> PS: https://github.com/rhinstaller/anaconda/pull/4331 - moving it from
> >>> the
> >>> python module directory where it was hiding.
> >> 
> >> I would guess that they are trying to prevent hardwired audit events
> >> from
> >> going into the install logs. If you boot with audit=0, you wouldn't need
> >> a
> >> mock auditd because auditing is disabled...except that systemd-journald
> >> blindly enables auditing. Maybe they fixed it to respect the command
> >> line by now, I don't know.
> >> 
> >> Another item, and maybe this is the reason, if there is no auditd,
> >> selinux
> >> sends AVC's to syslog. So, maybe it's to suppress AVC's?
> >> 
> >> I'd suggest booting with audit=0. If you get any events in your logs,
> >> you can probably replace auditd with a python variant. Libaudit has
> >> python bindings. It is not well tested for handling audit events. But
> >> it is used by semanage and some other python programs.
> > 
> > I talked to pjones (update in the PR as well) and it was because space
> > was limited and something needed to listen to the socket to throw away
> > the messages. My guess is that this is still valid, I don't think it
> > would provide anything useful in the installer environment, and would
> > just clutter up the journal with irrelevant messages. Maybe.
> > 
> > Booting with audit=0 may work, but one thing to remember is some people
> > use PXE and wouldn't have the same cmdline as the iso, so it may be
> > better to just keep this so it 'Just Works(TM)'.
> > 
> > Brian

Anaconda-devel mailing list -- anaconda-devel@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to anaconda-devel-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/anaconda-devel@xxxxxxxxxxxxxxxxxxxxxxx
Do not reply to spam, report it: https://pagure.io/fedora-infrastructure/new_issue

[Index of Archives]     [Kickstart]     [Fedora Users]     [Fedora Legacy List]     [Fedora Maintainers]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]
  Powered by Linux