Parellel boot and audit

Steve Grubb sgrubb at redhat.com
Tue Apr 1 14:54:45 UTC 2008


On Tuesday 01 April 2008 10:28:23 am Toshio Kuratomi wrote:
> Steve Grubb wrote:
> > On Tuesday 01 April 2008 09:18:22 am Harald Hoyer wrote:
> >>> Using the LSB headers, how do I express that audit needs to start
> >>> before just about everything else? The only things I can think of that
> >>> could be before audit are irqbalance, cpuspeed, iptables, ip6tables,
> >>> netlabel, network, bind (optional), and syslog. The irqbalance and
> >>> cpuspeed are questionable, though.
> >>>
> >>> -Steve
> >>
> >> The bad thing, you can't specify "run before" in LSB syntax.
> >
> > If we are switching in F9, we need this fixed before release.
>
> To my knowledge, we are not switching to LSB headers for F9.  You can
> add LSB headers to your initscripts but they are optional.

That's not the way a bugzilla was filed against audit:

https://bugzilla.redhat.com/show_bug.cgi?id=246872

which blocks 246824. If we change our minds about this, it would be nice if 
the filer of the bug writes something on the bz saying the need was 
overstated or delayed. 

Meanwhile, everyone playing with parallel boot will probably be missing AVCs 
in the audit logs, or if they are using audit will have a lot of processes 
unauditable. If GDM or another login daemon runs before audit, the users 
login uid in the kernel's task struct will not be set when they login. This 
also means there won't be a login session task attribute set that identifies 
which login any process is associated to. IOW, there is a lot of security 
tracking that goes wrong.


> We're moving to upstart with SysVinit compatibility for F9.  And at some
>   point in the future will probably have a push for upstart native start
> scripts/configs/whatever.

Does it allow one to say I need this to start at a specific point in time 
without modifying all initscripts?

-Steve




More information about the fedora-devel-list mailing list