Parellel boot and audit
Steve Grubb
sgrubb at redhat.com
Tue Apr 1 14:54:45 UTC 2008
On Tuesday 01 April 2008 10:28:23 am Toshio Kuratomi wrote:
> Steve Grubb wrote:
> > On Tuesday 01 April 2008 09:18:22 am Harald Hoyer wrote:
> >>> Using the LSB headers, how do I express that audit needs to start
> >>> before just about everything else? The only things I can think of that
> >>> could be before audit are irqbalance, cpuspeed, iptables, ip6tables,
> >>> netlabel, network, bind (optional), and syslog. The irqbalance and
> >>> cpuspeed are questionable, though.
> >>>
> >>> -Steve
> >>
> >> The bad thing, you can't specify "run before" in LSB syntax.
> >
> > If we are switching in F9, we need this fixed before release.
>
> To my knowledge, we are not switching to LSB headers for F9. You can
> add LSB headers to your initscripts but they are optional.
That's not the way a bugzilla was filed against audit:
https://bugzilla.redhat.com/show_bug.cgi?id=246872
which blocks 246824. If we change our minds about this, it would be nice if
the filer of the bug writes something on the bz saying the need was
overstated or delayed.
Meanwhile, everyone playing with parallel boot will probably be missing AVCs
in the audit logs, or if they are using audit will have a lot of processes
unauditable. If GDM or another login daemon runs before audit, the users
login uid in the kernel's task struct will not be set when they login. This
also means there won't be a login session task attribute set that identifies
which login any process is associated to. IOW, there is a lot of security
tracking that goes wrong.
> We're moving to upstart with SysVinit compatibility for F9. And at some
> point in the future will probably have a push for upstart native start
> scripts/configs/whatever.
Does it allow one to say I need this to start at a specific point in time
without modifying all initscripts?
-Steve
More information about the fedora-devel-list
mailing list