PolicyKit and syslog
Seth Vidal
skvidal at fedoraproject.org
Tue Nov 24 16:48:11 UTC 2009
On Tue, 24 Nov 2009, Matthias Clasen wrote:
> On Tue, 2009-11-24 at 11:26 -0500, Matthew Miller wrote:
>> One of the important features of sudo is its ability to log elevated-access
>> actions to syslog.
>>
>> Userhelper similarly logs actions, like so: "userhelper[26491]: running
>> '/usr/share/system-config-users/system-config-users ' with root privileges
>> on behalf of 'mattdm'".
>>
>> PolicyKit serves a similar function, but doesn't seem to log anything.
>>
>> In fact, the only use of syslog appears to be in polkit-agent-helper-1,
>> which logs in two possible situations -- when called with the wrong number
>> of arguments and when stdin is a tty. (Most other things it fprintfs to
>> stderr.)
>>
>> I'm not bringing this up to complain -- I just want to make sure that I'm
>> not missing something (which happens more often than it should; *sigh*). If
>> I'm not missing something, is this something anyone is working on already or
>> has existing plans for?
>>
>
> PolicyKit itself is not running anything. It is just answering the
> question of a mechanism: 'is X allowed to do foo ?'. It would make more
> sense for the mechanisms that use PolicyKit to log privileged actions
> that they do or deny to do.
>
when the policies are updated it is policy kit that has to be involved.
polkitd is running, at least.
It would make sense for polkitd to note a change to a policy. Maybe also
to note any communications to polkitd of any kind.
-sv
More information about the fedora-devel-list
mailing list