FAQ Search Today's Posts Mark Forums Read
» Video Reviews

» Linux Archive

Linux-archive is a website aiming to archive linux email lists and to make them easily accessible for linux users/developers.


» Sponsor

» Partners

» Sponsor

Go Back   Linux Archive > Redhat > Fedora Development

 
 
LinkBack Thread Tools
 
Old 10-29-2008, 08:04 PM
Steve Grubb
 
Default PolicyKit auditing - was Fedora 11: moving to posix file capabilities?

On Wednesday 29 October 2008 16:52:48 Colin Walters wrote:
> > Not sure I follow your question. I am talking about /proc/<pid>/loginuid
> > and sessionid.
>
> Oh. *Well, if your application uses PolicyKit there are *two*
> programs; the privileged mechanism, and the unprivileged application.
> The unprivileged application of course maintains the loginuid.

Which is a problem. We have no way to connect the session ID for the backend
with the frontend. That means we can't make a killall mechanism that nails
everything in a login session.


> > Where's the GUI or commandline tool that lets me configure it? I may need
> > to have auditing of who changed what entry in that file. When I chmod
> > 4755 a program, I know who changed it, what the old and new values are,
> > when they did it, and what the outcome was.
>
> There's no real story on that other than "uid 0" and $EDITOR yet.
> This is basically the same as all the other OS config files.

No...we have a handful of apps that audit changes to trusted databases.
password and adduser are two examples.


> > True...but this is a discussion that needs to be had so that it can be
> > fixed. Auditing from user space is not trustworthy and that's why its
> > done from the kernel.
>
> Hmm? *SELinux userspace enforcers (dbus and X.org) are using the audit
> system; I don't think it's reasonable to say that the kernel is the
> only component of the TCB.

I have to be able to tell the audit system to include or exclude events from
certain users. That would mean a user space access control daemon would have
to download and enforce audit policy. Nothing else does that because all the
necessary process attributes are maintained across the exec model and the
kernel can access it all.

-Steve

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 10-29-2008, 08:17 PM
"Colin Walters"
 
Default PolicyKit auditing - was Fedora 11: moving to posix file capabilities?

On Wed, Oct 29, 2008 at 5:04 PM, Steve Grubb <sgrubb@redhat.com> wrote:
> On Wednesday 29 October 2008 16:52:48 Colin Walters wrote:
>> > Not sure I follow your question. I am talking about /proc/<pid>/loginuid
>> > and sessionid.
>>
>> Oh. Well, if your application uses PolicyKit there are *two*
>> programs; the privileged mechanism, and the unprivileged application.
>> The unprivileged application of course maintains the loginuid.
>
> Which is a problem. We have no way to connect the session ID for the backend
> with the frontend. That means we can't make a killall mechanism that nails
> everything in a login session.

Conceptually the mechanism isn't part of the login session, it's OS
infrastructure that runs in userspace, just like libvirtd, iscsid[1]
or HAL. In particular the same mechanism process can be reused by
multiple uids, just as multiple uids can share a page cache entry in
the kernel or enumerate devices from the HAL daemon.

> No...we have a handful of apps that audit changes to trusted databases.
> password and adduser are two examples.

Sure...but that's a tiny minority of files for the core OS; at least
looking at "ls /etc". Don't get me wrong, I think it would make sense
to have a frontend tool but I can't see how the lack of one would be
considered a blocker.

> I have to be able to tell the audit system to include or exclude events from
> certain users. That would mean a user space access control daemon would have
> to download and enforce audit policy. Nothing else does that because all the
> necessary process attributes are maintained across the exec model and the
> kernel can access it all.

How Policykit should interact with auditing sounds like something to
bring up on the PolicyKit list; like I said before I think we do want
at least auditing of dbus system activation and that would be a use
case for userspace audit policy loading.

[1] Why the heck is my F9 desktop running iscsid?

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 
Old 11-02-2008, 07:32 PM
drago01
 
Default PolicyKit auditing - was Fedora 11: moving to posix file capabilities?

On Wed, Oct 29, 2008 at 10:17 PM, Colin Walters <walters@verbum.org> wrote:

> [1] Why the heck is my F9 desktop running iscsid?

pulled in by libvirt

--
fedora-devel-list mailing list
fedora-devel-list@redhat.com
https://www.redhat.com/mailman/listinfo/fedora-devel-list
 

Thread Tools




All times are GMT. The time now is 01:22 AM.

VBulletin, Copyright ©2000 - 2014, Jelsoft Enterprises Ltd.
Content Relevant URLs by vBSEO ©2007, Crawlability, Inc.
Copyright 2007 - 2008, www.linux-archive.org