From: Herbert Poetzl (herbert_at_13thfloor.at)
Date: Sun 17 Jul 2005 - 14:45:55 BST
On Sun, Jul 17, 2005 at 01:52:49PM +0200, Enrico Scholz wrote:
> herbert_at_13thfloor.at (Herbert Poetzl) writes:
> >> > it seems to be impossible to use the audit (CONFIG_AUDIT) interface
> >> > of the kernel within a vserver:
> >> >
> >> > | # auditctl -m 'foo'
> >> > | Error sending user message request (Operation not permitted)
> >> > ...
> >> > This gives problems on Fedora Core 4 as recent pam upgrade
> >> > is using this functionality and most actions (su, cron) will
> >> > fail therefore.
> >> hmm, does anybody know why pam would want to do syscall
> >> auditing in the first place? I'm a little lost here actually
> >> ...
> > ah, looks like redhat is patching again ...
> > http://people.redhat.com/sgrubb/audit/pam-0.78-loginuid.patch
> > so I guess it's fine to remove pam_loginuid.so for now
> > until the auditing interface is virtualized ...
> Ok, as expected, the NETLINK problem can be solved by giving
> CAP_AUDIT_WRITE permissions by default.
> Next problem is a
> | [pid 10153] open("/proc/self/loginuid", O_WRONLY|O_TRUNC|O_NOFOLLOW) = -1 EPERM (Operation not permitted)
> Hiding /proc/self/loginuid (so that open(2) returns with -ENOENT)
> seems to make newer pam_loginuid happy. As this can not be done
> with procfs-security, would it be possible to hide the "loginuid"
> entry statically for context!=0? (I guess, making it writable is
> more complicated than hiding it).
I'd suggest we disable the auditing framework for now
(if the pam module is happy with that?) and try to
virtualize the auditing ASAP ...
do you have/know any good test tools except the FC4
pam plugin? could you try if disabling the audit
framework does indeed make it work?
if everything else fails, we can remove that entry
(or whatever entry is used to detect the auditing)
>  http://cvs.fedora.redhat.com/viewcvs/rpms/pam/FC-4/pam-0.79-cleanup-redhat.patch?r1=1.3&r2=1.4
> \ / ASCII Ribbon Campaign
> X against HTML email & vCards
> / \ http://www.harley.com/turn-off-html/
> Vserver mailing list
Vserver mailing list