Hi Sven Am 31.08.22 um 14:01 schrieb Sven Mueller:
On Tue, Aug 30, 2022 at 9:49 PM Michael Biebl <bi...@debian.org> wrote:Am 30.08.22 um 19:46 schrieb Michael Biebl:Am 30.08.22 um 19:31 schrieb Michael Biebl:On Wed, 17 Aug 2022 19:17:16 +0200 Sven Mueller <s...@google.com> wrote:It's reproducible only with systemd upgrades. We've reproduced it with different versions of systemd, but always upgrading from 249.7-1 to the version tested.I assume this reproducer can be further reduced to systemctl restart systemd-journald ? (which is part of systemd.postinst)Could you check if replacing debian/patches/Don-t-enable-audit-by-default.patch with the attached patch helps?It was pointed out on IRC that we probably need to initialize the value with -1 (so it is "unset") instead of simply removing the line.I'll be honest: I currently don't have the time to test this (ooo for a while starting on Friday). But it seems unlikely that this change targets the root cause of our issue. Neither the patch nor the affected code seems to have changed recently enough (since 249.7-1 - we did multiple upgrades in between).
This part is indeed weird git diff v249.7..v250 -- src/journal/ on a cursory glance doesn't show anything which could be the cause of this.
However, a quick test I was able to do was to use `Audit=` in journald.conf to avoid the issue. Which makes me doubt my own words in the previous paragraph. But as I said: We didn't run into these issues with previous upgrades. Which is weird, since the postinst also didn't change considerably enough to explain it.
Yeah, setting 'Audit=', i.e. an empty string, will have the same effect as the patch. So thanks for confirming this is going in the right direction.
You are right, that `systemctl try-restart systemd-journald.service` is enough to trigger the issue. And I suspect that making .set_audit default to being unset (-1) would likely avoid our issue (as the test with Audit= in the config, which should also set it to -1) seems to show.
Aside from initializing set_audit to -1, the auditd package could also ship a drop-in snippet for journald, setting Audit=yes explicitly.
Not quite sure if that has other side-effects one should be aware of.So at this point, it's probably best to wait for feedback from Laurent, the auditd maintainer.
Regards, Michael
OpenPGP_signature
Description: OpenPGP digital signature
