Granting CAP_AUDIT_WRITE to X/dbus/...
Steve Grubb
sgrubb at redhat.com
Mon Sep 15 13:57:44 UTC 2014
On Monday, September 15, 2014 01:20:03 PM Laurent Bigonville wrote:
> Hello,
>
> I was wondering now that the xserver can run as non-root shouldn't the
> CAP_WRITE_AUDIT file capability be set on the Xorg executable?
I can't imagine what the Xserver would need to do with auditing. If its linked
against libaudit, then I guess it needs it. That said, no one has asked me to
review what the Xserver is doing wrt auditing. So, I have no idea if its
actually correctly done.
> Same question for AVC denials logging with dbus session bus[0]?
That one I know needs to write events.
> And in general, does anybody has an opinion about giving this
> capability to $random executable?
Yep, it should be done very cautiously. Some upstreams think audit is a syslog
and just absolutely mess it up. Even upstreams that I helped get audit events
working eventually decide to make changes (for who knows what reason) and then
I find out a year later that they messed things up.
So, if auditing is being added to $random program, be suspicious and ask on
the list if this is known and correct. I am wanting to fix this by creating
some test suites that can help identify when programs change and start doing
the wrong thing.
-Steve
> Cheers,
>
> Laurent Bigonville
>
> [0] See: https://bugs.freedesktop.org/show_bug.cgi?id=83856
>
> --
> Linux-audit mailing list
> Linux-audit at redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit
More information about the Linux-audit
mailing list