On 02/18/2013 01:32 PM, Eric Paris wrote: > On Mon, 2013-02-18 at 13:15 -0500, Josh Boyer wrote: >> On Mon, Feb 18, 2013 at 06:07:08PM +0100, Michal Schmidt wrote: >>> Hello Fedora kernel maintainers, >>> >>> please consider setting CONFIG_AUDIT_LOGINUID_IMMUTABLE=y for F19. >>> >>> It brings a security benefit and should be safe to turn on since >>> we're using systemd to start services. >> >> Refresh my memory please. Are we using systemd to start 100% of the >> services provided in Fedora? I seem to recall there are still a number >> of packages not using/providing systemd unit files. Would enabling this >> cause them to get weird EPERM errors? >> >> Is there a simple thing to check for aside from EPERM if issues from >> this do pop up? > > Daemons with a config requiring pam_lognuid.so will be unable to work if > they are launched by a logged in admin as opposed to systemd. Obvious > work around is to change the pam config. > > Login daemons launched by sysinit at boot will work. > Login daemons launched by systemd will work. > > Login daemons launched by sysint from a logged in admin will fail. Assuming that systemd launching an "old" sysvinit script will work, this should be safe. I do not believe Fedora contains any other viable init mechanisms anymore (upstart is gone, sysvinit is a husk). ~tom == Fedora Project _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/kernel