[systemd-devel] auditd.service and RefuseManualStop

Colin Guthrie gmane at colin.guthr.ie
Thu Apr 3 10:00:15 PDT 2014 

Hi,

Seems the upstream audit package includes this unit:

[Unit]
Description=Security Auditing Service
DefaultDependencies=no
After=local-fs.target
Conflicts=shutdown.target
Before=sysinit.target shutdown.target
RefuseManualStop=yes

[Service]
ExecStart=/sbin/auditd -n
## To use augenrules, copy this file to /etc/systemd/system/auditd.service
## and uncomment the next line and delete/comment out the auditctl line.
## Then copy existing rules to /etc/audit/rules.d/
## Not doing this last step can cause loss of existing rules
#ExecStartPost=-/sbin/augenrules --load
ExecStartPost=-/sbin/auditctl -R /etc/audit/audit.rules
ExecReload=/bin/kill -HUP $MAINPID

[Install]
WantedBy=multi-user.target




Obviously, the RefuseManualStop here makes it impossible to stop this
service when the package is uninstalled.

Failed to issue method call: Operation refused, unit auditd.service may
be requested by dependency only.



Technically we can call systemctl stop *after* the unit file has
disappeared (and possibly the daemon reloaded) and systemd will
apparently tidy up the processes in the cgroup, but this seems wrong and
dirty (a slightly less dirty approach would be to add a temporary dropin
file to override RefuseManualStop, do a reload and then stop it, then
remove the dropin file, but this also feels somewhat cumbersome).


Alternatively we can do "systemctl kill" in this case prior to uninstall
and that will work (systemctl kill does not respect RefuseManualStop).

I also tried using systemctl stop with --force and --ignore-dependences
but neither overrode the RefuseManualStop=yes directive (unsurprisingly)


There are also problems restarting the daemon on upgrade but perhaps
this should be generally avoided for audit?


Anyway, just wanted to discuss the best approach here. Perhaps the
upstream unit could be tweaked? Perhaps RefuseManualStop is overkill?

Col




-- 

Colin Guthrie
gmane(at)colin.guthr.ie
http://colin.guthr.ie/

Day Job:
  Tribalogic Limited http://www.tribalogic.net/
Open Source:
  Mageia Contributor http://www.mageia.org/
  PulseAudio Hacker http://www.pulseaudio.org/
  Trac Hacker http://trac.edgewall.org/

More information about the systemd-devel mailing list