Granting CAP_AUDIT_WRITE to X/dbus/...

Granting CAP_AUDIT_WRITE to X/dbus/...

[Laurent Bigonville]

Hello,

I was wondering now that the xserver can run as non-root shouldn't the
CAP_WRITE_AUDIT file capability be set on the Xorg executable? Same
question for AVC denials logging with dbus session bus[0]?

And in general, does anybody has an opinion about giving this
capability to $random executable?

Cheers,

Laurent Bigonville

[0] See: https://bugs.freedesktop.org/show_bug.cgi?id=83856

Re: Granting CAP_AUDIT_WRITE to X/dbus/...

[Steve Grubb]

On Monday, September 15, 2014 01:20:03 PM Laurent Bigonville wrote:
> Hello,
> 
> I was wondering now that the xserver can run as non-root shouldn't the
> CAP_WRITE_AUDIT file capability be set on the Xorg executable?

I can't imagine what the Xserver would need to do with auditing. If its linked 
against libaudit, then I guess it needs it. That said, no one has asked me to 
review what the Xserver is doing wrt auditing. So, I have no idea if its 
actually correctly done.


> Same question for AVC denials logging with dbus session bus[0]?

That one I know needs to write events.


> And in general, does anybody has an opinion about giving this
> capability to $random executable?

Yep, it should be done very cautiously. Some upstreams think audit is a syslog 
and just absolutely mess it up. Even upstreams that I helped get audit events 
working eventually decide to make changes (for who knows what reason) and then 
I find out a year later that they messed things up.

So, if auditing is being added to $random program, be suspicious and ask on 
the list if this is known and correct. I am wanting to fix this by creating 
some test suites that can help identify when programs change and start doing 
the wrong thing.

-Steve


> Cheers,
> 
> Laurent Bigonville
> 
> [0] See: https://bugs.freedesktop.org/show_bug.cgi?id=83856
> 
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit

Re: Granting CAP_AUDIT_WRITE to X/dbus/...

[Daniel J Walsh]

On 09/15/2014 09:57 AM, Steve Grubb wrote:
> On Monday, September 15, 2014 01:20:03 PM Laurent Bigonville wrote:
>> Hello,
>>
>> I was wondering now that the xserver can run as non-root shouldn't the
>> CAP_WRITE_AUDIT file capability be set on the Xorg executable?
> I can't imagine what the Xserver would need to do with auditing. If its linked 
> against libaudit, then I guess it needs it. That said, no one has asked me to 
> review what the Xserver is doing wrt auditing. So, I have no idea if its 
> actually correctly done.
XAce?
>
>> Same question for AVC denials logging with dbus session bus[0]?
> That one I know needs to write events.
>
>
>> And in general, does anybody has an opinion about giving this
>> capability to $random executable?
> Yep, it should be done very cautiously. Some upstreams think audit is a syslog 
> and just absolutely mess it up. Even upstreams that I helped get audit events 
> working eventually decide to make changes (for who knows what reason) and then 
> I find out a year later that they messed things up.
>
> So, if auditing is being added to $random program, be suspicious and ask on 
> the list if this is known and correct. I am wanting to fix this by creating 
> some test suites that can help identify when programs change and start doing 
> the wrong thing.
>
> -Steve
>
>
>> Cheers,
>>
>> Laurent Bigonville
>>
>> [0] See: https://bugs.freedesktop.org/show_bug.cgi?id=83856
>>
>> --
>> Linux-audit mailing list
>> Linux-audit@redhat.com
>> https://www.redhat.com/mailman/listinfo/linux-audit
> --
> Linux-audit mailing list
> Linux-audit@redhat.com
> https://www.redhat.com/mailman/listinfo/linux-audit