On Mon, 2013-02-18 at 13:15 -0500, Josh Boyer wrote: > On Mon, Feb 18, 2013 at 06:07:08PM +0100, Michal Schmidt wrote: > > Hello Fedora kernel maintainers, > > > > please consider setting CONFIG_AUDIT_LOGINUID_IMMUTABLE=y for F19. > > > > It brings a security benefit and should be safe to turn on since > > we're using systemd to start services. > > Refresh my memory please. Are we using systemd to start 100% of the > services provided in Fedora? I seem to recall there are still a number > of packages not using/providing systemd unit files. Would enabling this > cause them to get weird EPERM errors? > > Is there a simple thing to check for aside from EPERM if issues from > this do pop up? Daemons with a config requiring pam_lognuid.so will be unable to work if they are launched by a logged in admin as opposed to systemd. Obvious work around is to change the pam config. Login daemons launched by sysinit at boot will work. Login daemons launched by systemd will work. Login daemons launched by sysint from a logged in admin will fail. Make sense? I'm not sure what pam spews into the logs... _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/kernel
