From mboxrd@z Thu Jan 1 00:00:00 1970 From: Steve Grubb Subject: Re: /var/log/audit ownership/permissions Date: Thu, 21 Jul 2016 10:31:45 -0400 Message-ID: <2157957.25sImG3kNV@x2> References: <1d3522ae-ff55-5a91-5e8d-b64fac67e84b@redhat.com> <12890758.RtUGNIL9cO@x2> <5790D860.8060508@redhat.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <5790D860.8060508@redhat.com> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: Ondrej Moris Cc: linux-audit@redhat.com List-Id: linux-audit@redhat.com On Thursday, July 21, 2016 4:12:48 PM EDT Ondrej Moris wrote: > On 07/21/2016 03:55 PM, Steve Grubb wrote: > >> I am fine with that but while I see the motivation [1], I > >> just cannot find where is that happening in the code. > > > > https://fedorahosted.org/audit/browser/trunk/src/auditd-event.c#L886 > > Thanks, now it is clear. You one thing - line 903 suggests that it is > either 0700 or 0770 which I can confirm by testing: > > # # log_group = root > # ls -ld /var/log/audit/ > drwx------. 2 root root 4096 Jul 21 09:56 /var/log/audit/ > > # # log_group = input > # ls -ld /var/log/audit/ > drwxrwx---. 2 root input 4096 Jul 21 09:56 /var/log/audit/ Fixed in commit 1360. > >> Besides, specfile > >> still contains: > >> > >> %attr(750,root,root) %dir %{_var}/log/audit > > > > Maybe I should take the attr away or modify it to (-,root,-). The group > > can > > change. For example, I have wheel allowed to run audit reports on my > > system.> > >> and hence 'rpm -V audit' obviously fails. > > > > Yeah. Hmm. > > Yes, change you mentioned would solve 'rpm -V' problem. It sounds very > reasonable since both group ownership and permission are configurable > via auditd.conf. Also fixed in the same commit. -Steve