7:11 a.m.
Hello,
while trying to make sense of the remaining C bits in anaconda, I found
that we actually have a mock auditd, which does nothing and replaces the
real auditd on boot.iso, via lorax templates.
Now I'm trying to understand why. Is it because it writes too much to
journal? Is it because it takes 90 MB memory? Something else?
Steve, Brian - would you know?
PS: https://github.com/rhinstaller/anaconda/pull/4331 - moving it from the
python module directory where it was hiding.
Best,
Vladimir
--
Vladimír Slávik <vslavik(a)redhat.com>
Software Engineer, Platform Engineering
Red Hat Czech, s.r.o.
9:20 a.m.
Hello,
On Thursday, September 15, 2022 8:11:39 AM EDT Vladimir Slavik wrote:
while trying to make sense of the remaining C bits in anaconda, I
found
that we actually have a mock auditd, which does nothing and replaces the
real auditd on boot.iso, via lorax templates.
Now I'm trying to understand why. Is it because it writes too much to
journal? Is it because it takes 90 MB memory? Something else?
Steve, Brian - would you know?
PS: https://github.com/rhinstaller/anaconda/pull/4331 - moving it from the
python module directory where it was hiding.
I would guess that they are trying to prevent hardwired audit events from
going into the install logs. If you boot with audit=0, you wouldn't need a
mock auditd because auditing is disabled...except that systemd-journald
blindly enables auditing. Maybe they fixed it to respect the command line by
now, I don't know.
Another item, and maybe this is the reason, if there is no auditd, selinux
sends AVC's to syslog. So, maybe it's to suppress AVC's?
I'd suggest booting with audit=0. If you get any events in your logs, you can
probably replace auditd with a python variant. Libaudit has python bindings.
It is not well tested for handling audit events. But it is used by semanage
and some other python programs.
-Steve
10:31 a.m.
On Thu, Sep 15, 2022 at 10:20:04AM -0400, Steve Grubb wrote:
Hello,
On Thursday, September 15, 2022 8:11:39 AM EDT Vladimir Slavik wrote:
> while trying to make sense of the remaining C bits in anaconda, I found
> that we actually have a mock auditd, which does nothing and replaces the
> real auditd on boot.iso, via lorax templates.
>
> Now I'm trying to understand why. Is it because it writes too much to
> journal? Is it because it takes 90 MB memory? Something else?
>
> Steve, Brian - would you know?
>
> PS: https://github.com/rhinstaller/anaconda/pull/4331 - moving it from the
> python module directory where it was hiding.
I would guess that they are trying to prevent hardwired audit events from
going into the install logs. If you boot with audit=0, you wouldn't need a
mock auditd because auditing is disabled...except that systemd-journald
blindly enables auditing. Maybe they fixed it to respect the command line by
now, I don't know.
Another item, and maybe this is the reason, if there is no auditd, selinux
sends AVC's to syslog. So, maybe it's to suppress AVC's?
I'd suggest booting with audit=0. If you get any events in your logs, you can
probably replace auditd with a python variant. Libaudit has python bindings.
It is not well tested for handling audit events. But it is used by semanage
and some other python programs.
I talked to pjones (update in the PR as well) and it was because space
was limited and something needed to listen to the socket to throw away
the messages. My guess is that this is still valid, I don't think it
would provide anything useful in the installer environment, and would
just clutter up the journal with irrelevant messages. Maybe.
Booting with audit=0 may work, but one thing to remember is some people
use PXE and wouldn't have the same cmdline as the iso, so it may be
better to just keep this so it 'Just Works(TM)'.
Brian
--
Brian C. Lane (PST8PDT) - weldr.io - lorax - parted - pykickstart
3:38 a.m.
Thank you both!
I agree that keeping this is the better option for now. I'll add the
information from here to a readme, so that this vital information will be
available for the next code archeologist.
Best,
V+
On Thu, Sep 15, 2022 at 5:31 PM Brian C. Lane <bcl(a)redhat.com> wrote:
On Thu, Sep 15, 2022 at 10:20:04AM -0400, Steve Grubb wrote:
> Hello,
>
> On Thursday, September 15, 2022 8:11:39 AM EDT Vladimir Slavik wrote:
> > while trying to make sense of the remaining C bits in anaconda, I found
> > that we actually have a mock auditd, which does nothing and replaces
the
> > real auditd on boot.iso, via lorax templates.
> >
> > Now I'm trying to understand why. Is it because it writes too much to
> > journal? Is it because it takes 90 MB memory? Something else?
> >
> > Steve, Brian - would you know?
> >
> > PS: https://github.com/rhinstaller/anaconda/pull/4331 - moving it
from the
> > python module directory where it was hiding.
>
> I would guess that they are trying to prevent hardwired audit events
from
> going into the install logs. If you boot with audit=0, you wouldn't need
a
> mock auditd because auditing is disabled...except that systemd-journald
> blindly enables auditing. Maybe they fixed it to respect the command
line by
> now, I don't know.
>
> Another item, and maybe this is the reason, if there is no auditd,
selinux
> sends AVC's to syslog. So, maybe it's to suppress AVC's?
>
> I'd suggest booting with audit=0. If you get any events in your logs,
you can
> probably replace auditd with a python variant. Libaudit has python
bindings.
> It is not well tested for handling audit events. But it is used by
semanage
> and some other python programs.
I talked to pjones (update in the PR as well) and it was because space
was limited and something needed to listen to the socket to throw away
the messages. My guess is that this is still valid, I don't think it
would provide anything useful in the installer environment, and would
just clutter up the journal with irrelevant messages. Maybe.
Booting with audit=0 may work, but one thing to remember is some people
use PXE and wouldn't have the same cmdline as the iso, so it may be
better to just keep this so it 'Just Works(TM)'.
Brian
--
Brian C. Lane (PST8PDT) - weldr.io - lorax - parted - pykickstart
--
Vladimír Slávik <vslavik(a)redhat.com>
Software Engineer, Platform Engineering
Red Hat Czech, s.r.o.
5:36 a.m.
Hi,
I wonder, couldn't we add `audit=0` to the initrd or enable it in the
initrd by our dracut modules? I think that would be better solution that
having a code to drop messages.
Best Regards,
Jirka
Dne 15. 09. 22 v 17:31 Brian C. Lane napsal(a):
On Thu, Sep 15, 2022 at 10:20:04AM -0400, Steve Grubb wrote:
> Hello,
>
> On Thursday, September 15, 2022 8:11:39 AM EDT Vladimir Slavik wrote:
>> while trying to make sense of the remaining C bits in anaconda, I found
>> that we actually have a mock auditd, which does nothing and replaces the
>> real auditd on boot.iso, via lorax templates.
>>
>> Now I'm trying to understand why. Is it because it writes too much to
>> journal? Is it because it takes 90 MB memory? Something else?
>>
>> Steve, Brian - would you know?
>>
>> PS: https://github.com/rhinstaller/anaconda/pull/4331 - moving it from the
>> python module directory where it was hiding.
> I would guess that they are trying to prevent hardwired audit events from
> going into the install logs. If you boot with audit=0, you wouldn't need a
> mock auditd because auditing is disabled...except that systemd-journald
> blindly enables auditing. Maybe they fixed it to respect the command line by
> now, I don't know.
>
> Another item, and maybe this is the reason, if there is no auditd, selinux
> sends AVC's to syslog. So, maybe it's to suppress AVC's?
>
> I'd suggest booting with audit=0. If you get any events in your logs, you can
> probably replace auditd with a python variant. Libaudit has python bindings.
> It is not well tested for handling audit events. But it is used by semanage
> and some other python programs.
I talked to pjones (update in the PR as well) and it was because space
was limited and something needed to listen to the socket to throw away
the messages. My guess is that this is still valid, I don't think it
would provide anything useful in the installer environment, and would
just clutter up the journal with irrelevant messages. Maybe.
Booting with audit=0 may work, but one thing to remember is some people
use PXE and wouldn't have the same cmdline as the iso, so it may be
better to just keep this so it 'Just Works(TM)'.
Brian
7:26 a.m.
Hello!
So, the solution appears to be: keep all audit-related binaries on
boot.iso, run auditctl -e 0 instead of our mock, and the result is roughly
the same. So that's what we will do.
https://github.com/rhinstaller/anaconda/pull/4358
https://github.com/weldr/lorax/pull/1271
Best,
Vladimir
On Thu, Sep 15, 2022 at 2:11 PM Vladimir Slavik <vslavik(a)redhat.com> wrote:
Hello,
while trying to make sense of the remaining C bits in anaconda, I found
that we actually have a mock auditd, which does nothing and replaces the
real auditd on boot.iso, via lorax templates.
Now I'm trying to understand why. Is it because it writes too much to
journal? Is it because it takes 90 MB memory? Something else?
Steve, Brian - would you know?
PS: https://github.com/rhinstaller/anaconda/pull/4331 - moving it from
the python module directory where it was hiding.
Best,
Vladimir
--
Vladimír Slávik <vslavik(a)redhat.com>
Software Engineer, Platform Engineering
Red Hat Czech, s.r.o.
--
Vladimír Slávik <vslavik(a)redhat.com>
Software Engineer, Platform Engineering
Red Hat Czech, s.r.o.
562
days inactive
581
days old
anaconda-devel@lists.fedoraproject.org
5 comments
4 participants
participants (4)
-
Brian C. Lane -
Jiri Konecny -
Steve Grubb -
Vladimir Slavik