-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Stephen Smalley wrote: > On Thu, 2008-02-28 at 13:48 -0500, Eamon Walsh wrote: >> Stephen Smalley wrote: >>> On Mon, 2008-02-25 at 20:12 -0500, Eamon Walsh wrote: >>> >>>> Eamon Walsh wrote: >>>> >>>>> The X object manager logs all avc's and status messages (including the >>>>> AVC netlink stuff) through the audit system using libaudit calls >>>>> (audit_log_user_avc_message, etc.) I disavow all responsibility for >>>>> the messages once they enter libaudit >>>>> >>>> It's being black-holed in rawhide. To see for yourself, add the >>>> attached patch to the spec file and rebuild the xserver from SRPM. It >>>> will tee the avc messages into /var/log/Xorg.0.log. >>>> >>> Looking at the corresponding code in dbus, I see that dbus is calling >>> both audit_log_user_avc_message() (if HAVE_LIBAUDIT) and >>> vsyslog(LOG_INFO...) with the message. >>> >> Should the X server do this also? Why does it need to be logged twice? >> >>> Can you verify that the X server was able to create the audit socket >>> successfully? >>> >> Yes, because when I actually install the audit package, things started >> appearing in /var/log/audit/audit.log. I did not have the audit package >> installed. Why isn't it redirecting to /var/log/messages in this case? >> This is the behavior I was led to believe would happen, and this is what >> happens with kernel AVC's. > > That's what I would expect, but I don't know. Safest thing would seem > to be to follow dbus' example. The audit calls there are also > conditionally compiled, so they can be entirely omitted on systems > without libaudit, whereas the system logging is unconditional. > >>> Things that could go wrong: >>> - X server uses privilege bracketing (switching uids or capabilities) >>> and lacks the necessary audit capabilities. >>> - X server shuts down all descriptors _after_ you've opened the audit >>> socket, thereby closing it down too. >>> - Policy doesn't allow X server to write audit messages (requires >>> audit_write capability and netlink_audit_socket perms). >>> >> dbus is not a setuid application so when it runs in userspace it does not have the right to send an auditmessage. When it gets a reload policy, the user space dbus program sends the message to syslog. I don't think X needs to do this. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.8 (GNU/Linux) Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org iEYEARECAAYFAkfHBMgACgkQrlYvE4MpobOnBACgqabWxmdBqQfRbK9MJ8SxoB1U h3kAoNMQRNLtcv6z7Jo8bBCDdxr8ab1R =HuVz -----END PGP SIGNATURE----- -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
