On Tue, 19.02.13 14:29, Jon Masters (jonat...@jonmasters.org) wrote: > From: Jon Masters <j...@jonmasters.org> > > Systemd relies upon CONFIG_AUDITSYSCALL support being present in the > kernel.
Actually it doesn't. There's just a bug with pkexec on systems that lack auditing, but we really should fix that. We definitely want to support audit-less systems. Even more, currently the kernel auditing layer is so borked that we ask everybody who want to boot a full Fedora in an "nspawn" container to turn off auditing in the kernel via "audit=0", so we really should make sure everything works fine without auditing enabled in the kernel. > This is because systemd-logind calls audit_session_from_pid, which uses > /proc/self/sessionid to determine whether an existing session is being > replaced as part of e.g. a call to sudo, pkexec, or similar. Without > support for system call auditing, these commands will silently fail as > their session is killed immediately after it is created by systemd. audit_session_from_pid() should be used only to keep the audit session ID and the systemd session ID in sync. However, if audit_session_from_pid() fails to work we probably should check for cgroup membership as fallback for determining whether the calling process already is part of a session. Lennart -- Lennart Poettering - Red Hat, Inc. _______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel
