[systemd-devel] [PATCH] audit: Fix journal failing on unsupported audit in containers [was: journal: don't complain about audit socket errors in a container.]

Lennart Poettering lennart at poettering.net
Thu May 21 03:52:08 PDT 2015

On Wed, 20.05.15 22:40, Martin Pitt (martin.pitt at ubuntu.com) wrote:

> Hey Lennart,
> Lennart Poettering [2015-05-20 17:49 +0200]:
> > Nope, ConditionSecurity=audit is only a simple boolean check that
> > holds when audit is enabled at all. It doesn't tell you anything about
> > the precise audit feature set of the kernel.
> Ah, thanks for the clarification.
> > I have now conditionalized the unit on CAP_ADMIN_READ, which is the
> > cap that you need to read the audit multicast stuff. You container
> > manager hence should simply drop that cap fro, the cap set it passes
> > and all should be good.
> Wonderful! Now it works perfectly in nspawn. (This needs to be fixed
> in unprivileged LXC containers, but that's not a systemd problem; I'll
> talk to LXC upstream about that).
> With these two fixes, should we now remove the scary warning in
> README? AFAICS there is no need to turn auditing off on the host any
> more.

As mentioned before: unless you turn auditing off in the kernel,
you cannot even log into any Fedora system running in a container
(unless you have the seccomp trick on and are on x86-64). The message
hence really should stay.

Note that Debian/Ubuntu are not as restrictive regarding audit as
Fedora is. In Fedora due to government craziness failing audit will
result in refused logins, and that's the issue here.


Lennart Poettering, Red Hat

More information about the systemd-devel mailing list