On Mon, 2013-02-18 at 13:15 -0500, Josh Boyer wrote:
On Mon, Feb 18, 2013 at 06:07:08PM +0100, Michal Schmidt wrote:
> Hello Fedora kernel maintainers,
>
> please consider setting CONFIG_AUDIT_LOGINUID_IMMUTABLE=y for F19.
>
> It brings a security benefit and should be safe to turn on since
> we're using systemd to start services.
Refresh my memory please. Are we using systemd to start 100% of the
services provided in Fedora? I seem to recall there are still a number
of packages not using/providing systemd unit files. Would enabling this
cause them to get weird EPERM errors?
Is there a simple thing to check for aside from EPERM if issues from
this do pop up?
Daemons with a config requiring pam_lognuid.so will be unable to work if
they are launched by a logged in admin as opposed to systemd. Obvious
work around is to change the pam config.
Login daemons launched by sysinit at boot will work.
Login daemons launched by systemd will work.
Login daemons launched by sysint from a logged in admin will fail.
Make sense?
I'm not sure what pam spews into the logs...