From: Enrico Scholz (enrico.scholz_at_sigma-chemnitz.de)
Date: Sun 17 Jul 2005 - 12:52:49 BST
herbert_at_13thfloor.at (Herbert Poetzl) writes:
>> > it seems to be impossible to use the audit (CONFIG_AUDIT) interface
>> > of the kernel within a vserver:
>> > | # auditctl -m 'foo'
>> > | Error sending user message request (Operation not permitted)
>> > ...
>> > This gives problems on Fedora Core 4 as recent pam upgrade
>> > is using this functionality and most actions (su, cron) will
>> > fail therefore.
>> hmm, does anybody know why pam would want to do syscall
>> auditing in the first place? I'm a little lost here actually
> ah, looks like redhat is patching again ...
> so I guess it's fine to remove pam_loginuid.so for now
> until the auditing interface is virtualized ...
Ok, as expected, the NETLINK problem can be solved by giving
CAP_AUDIT_WRITE permissions by default.
Next problem is a
| [pid 10153] open("/proc/self/loginuid", O_WRONLY|O_TRUNC|O_NOFOLLOW) = -1 EPERM (Operation not permitted)
Hiding /proc/self/loginuid (so that open(2) returns with -ENOENT)
seems to make newer pam_loginuid happy. As this can not be done
with procfs-security, would it be possible to hide the "loginuid"
entry statically for context!=0? (I guess, making it writable is
more complicated than hiding it).
-- /"\ \ / ASCII Ribbon Campaign X against HTML email & vCards / \ http://www.harley.com/turn-off-html/ _______________________________________________ Vserver mailing list Vserver_at_list.linux-vserver.org http://list.linux-vserver.org/mailman/listinfo/vserver