Le Sat, 26 Oct 2013 22:39:49 +0100, Simon McVittie <s...@debian.org> a écrit :
> On 26/10/13 16:27, Laurent Bigonville wrote: > > It would be nice is audit support was enabled during build. > > > > This is allowing to have the AVC denials also logged by the audit > > subsystem. > > > > This would add a dependency against libaudit and libcap-ng > > I see you intend to take over maintenance of libaudit. In your > opinion, are libaudit and libcap-ng generally reasonably bug-free, > and of a quality that you would be OK with linking into, for > instance, pid 1? > > (AFAICS it's only dbus-daemon that gets linked to libaudit and > libcap-ng, not libdbus; but on systems that rely on D-Bus for > networking via NetworkManager/etc. or administrative tasks via > systemd/PolicyKit/UPower/ConsoleKit/etc., dbus-daemon needs to be > almost as reliable as pid 1.) Since I took over the maintenance of audit in Debian (not a long time ago I should say) I didn't saw any critical bug related to audit. I think that the developers are trying to be cautious, the audit subsystem is subjected to some Gvt standard I think. And btw, SystemD itself is depending on libaudit. I don't think that enabling the auditing code in dbus should cause issues. > > I want to be reasonably conservative about dbus-daemon's dependencies, > particularly given that nobody active in dbus upstream (even the Red > Hat/Fedora people...) seems to be willing to say anything > authoritative about SELinux - e.g. see > <https://bugs.freedesktop.org/show_bug.cgi?id=49062>. I've added a comment on this bug, I'm wondering if the patch has not broken the auditing code in dbus. I'm still investigating. > If we only call into libaudit on SELinux and not on non-LSM systems, > that would make me feel better about it (I'd have to check the code). > Enabling it first in experimental, then in unstable later, would > probably be a good move. audit_open() and audit_close() seems to be called in all the cases, even if SELinux is not enabled on the machine. But note that audit could also be used for other things, like logging a bus permission/policy violation. my 2¢ Laurent Bigonville -- To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
