[systemd-devel] [PATCH] audit: Fix journal failing on unsupported audit in containers [was: journal: don't complain about audit socket errors in a container.]

[Lennart Poettering]

On Wed, 20.05.15 22:40, Martin Pitt (martin.pitt at ubuntu.com) wrote:

> Hey Lennart,
> 
> Lennart Poettering [2015-05-20 17:49 +0200]:
> > Nope, ConditionSecurity=audit is only a simple boolean check that
> > holds when audit is enabled at all. It doesn't tell you anything about
> > the precise audit feature set of the kernel.
> 
> Ah, thanks for the clarification.
> 
> > I have now conditionalized the unit on CAP_ADMIN_READ, which is the
> > cap that you need to read the audit multicast stuff. You container
> > manager hence should simply drop that cap fro, the cap set it passes
> > and all should be good.
> 
> Wonderful! Now it works perfectly in nspawn. (This needs to be fixed
> in unprivileged LXC containers, but that's not a systemd problem; I'll
> talk to LXC upstream about that).
> 
> With these two fixes, should we now remove the scary warning in
> README? AFAICS there is no need to turn auditing off on the host any
> more.

As mentioned before: unless you turn auditing off in the kernel,
you cannot even log into any Fedora system running in a container
(unless you have the seccomp trick on and are on x86-64). The message
hence really should stay.

Note that Debian/Ubuntu are not as restrictive regarding audit as
Fedora is. In Fedora due to government craziness failing audit will
result in refused logins, and that's the issue here.

Lennart

-- 
Lennart Poettering, Red Hat