From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: Granting CAP_AUDIT_WRITE to X/dbus/... Date: Mon, 15 Sep 2014 09:57:44 -0400 Message-ID: <1786181.n8Vjayl5bq@x2> References: <20140915132003.799cae6d@soldur.bigon.be> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <20140915132003.799cae6d@soldur.bigon.be> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Monday, September 15, 2014 01:20:03 PM Laurent Bigonville wrote: > Hello, > > I was wondering now that the xserver can run as non-root shouldn't the > CAP_WRITE_AUDIT file capability be set on the Xorg executable? I can't imagine what the Xserver would need to do with auditing. If its linked against libaudit, then I guess it needs it. That said, no one has asked me to review what the Xserver is doing wrt auditing. So, I have no idea if its actually correctly done. > Same question for AVC denials logging with dbus session bus[0]? That one I know needs to write events. > And in general, does anybody has an opinion about giving this > capability to $random executable? Yep, it should be done very cautiously. Some upstreams think audit is a syslog and just absolutely mess it up. Even upstreams that I helped get audit events working eventually decide to make changes (for who knows what reason) and then I find out a year later that they messed things up. So, if auditing is being added to $random program, be suspicious and ask on the list if this is known and correct. I am wanting to fix this by creating some test suites that can help identify when programs change and start doing the wrong thing. -Steve > Cheers, > > Laurent Bigonville > > [0] See: https://bugs.freedesktop.org/show_bug.cgi?id=83856 > > -- > Linux-audit mailing list > Linux-audit@redhat.com > https://www.redhat.com/mailman/listinfo/linux-audit