Re: rawhide report: 20050617 changes

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

>updated to the current rawhide 0.9.7 audit with a vanilla 2.6.12-rc6
>kernel. is there some kernel config switch to make it play nice?

The kernel switch we are using is CONFIG_AUDITSYSCALL. However, you should be
able to login without it. It does depend on which version of audit-libs and pam
that you are using. If you are using the current versions of each (rawhide), you
shouldn't be having a problem.

The way this should be working is that login calls pam, which in turn notifies
the audit system as pam performs certain actions. This is a call to
audit_send_user_message in libaudit.c. This sends the message via sendto into the
kernel. It checks for ECONNREFUSED which means the audit netlink subsytem is not
compiled into the kernel. It also looks for EPERM & uid!=0, which is what you
have when xscreensaver needs to let you back in. If either of those are found, it
tells pam that it was successful and pam continues with login.

Some pam configurations have also been updated to call pam_loginuid.so. What this
does is set a new process attribute, loginuid, that is inheritted by all
processes after login forks to start your shell. This way, if you su to root, we
can see that you originally logged in under another account. There was a bug
spotted a week ago that pam_loginuid.so was not checking for ENOENT when it tried
to open /proc/self/loginuid to set that process attribute. This could also
prevent you from logging in, too.

To check this, comment out pam_loginuid.so in /etc/pam.d/login,sshd,gdm. Or you
can change it from required to optional.

Today should have audit-libs-0.9.8 in rawhide, which cleans up a couple more user
space audit message functions that are not called by pam. If you could check to
see if loginuid is causing the problem that would help. Any other debug info
would help too.

Thanks,
-Steve Grubb

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around 
http://mail.yahoo.com 


[Index of Archives]     [Fedora Desktop]     [Fedora SELinux]     [Photo Sharing]     [Yosemite Forum]     [KDE Users]