On Thu, 2008-05-15 at 08:24 -0400, Steve Grubb wrote: > On Tuesday 13 May 2008 13:07:51 Ray Strode wrote: > > The replacement for rhgb will be a mixture of two things: > > > > 1) Starting gdm as early as possible and fitting it to give boot > > progress before asking for login. > > Please note that the audit daemon needs to start before any daemon if you want > it to work right. There's a couple reasons, one being that it enables the > audit system and without that, any process running before the audit daemon is > not auditable - ever. The work around is to add audit=1 to grub.conf, but > then you get a performance hit for everyone. > > The second reason is that any audit event that occurs before the audit daemon > runs could be lost. There may be AVCs on boot that you want or something else > important that you wanted to capture. > > I guess the message is without coordination, some of our security features may > not be working right unless consideration is given to their needs. It certainly doesn't help if these security features are 'special' in these little ways that then to easily break them. Isn't there something we can do to fix this ? Either make the audit system cope with userspace parts coming later, or if starting auditd first is really a hard requirement, implement that in a way that doesn't require mailing list reminders ? Matthias -- fedora-devel-list mailing list fedora-devel-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-devel-list
