On Mon, 2013-02-18 at 13:38 -0500, Tom Callaway wrote: > On 02/18/2013 01:32 PM, Eric Paris wrote: > > On Mon, 2013-02-18 at 13:15 -0500, Josh Boyer wrote: > >> On Mon, Feb 18, 2013 at 06:07:08PM +0100, Michal Schmidt wrote: > >>> Hello Fedora kernel maintainers, > >>> > >>> please consider setting CONFIG_AUDIT_LOGINUID_IMMUTABLE=y for F19. > >>> > >>> It brings a security benefit and should be safe to turn on since > >>> we're using systemd to start services. > >> > >> Refresh my memory please. Are we using systemd to start 100% of the > >> services provided in Fedora? I seem to recall there are still a number > >> of packages not using/providing systemd unit files. Would enabling this > >> cause them to get weird EPERM errors? > >> > >> Is there a simple thing to check for aside from EPERM if issues from > >> this do pop up? > > > > Daemons with a config requiring pam_lognuid.so will be unable to work if > > they are launched by a logged in admin as opposed to systemd. Obvious > > work around is to change the pam config. > > > > Login daemons launched by sysinit at boot will work. > > Login daemons launched by systemd will work. > > > > Login daemons launched by sysint from a logged in admin will fail. > > Assuming that systemd launching an "old" sysvinit script will work, this > should be safe. I do not believe Fedora contains any other viable init > mechanisms anymore (upstart is gone, sysvinit is a husk). What breaks is admin running /usr/sbin/sshd -D or /usr/sbin/crond -n unless they redo their stock pam config... stuff from systemd is going to work fine... _______________________________________________ kernel mailing list kernel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/kernel