506418 – sys-apps/systemd: CONFIG_AUDITSYSCALL=y really required for pam_systemd.so thesedays? time to reverify.

Bug 506418 - sys-apps/systemd: CONFIG_AUDITSYSCALL=y really required for pam_systemd.so thesedays? time to reverify.

Summary: sys-apps/systemd: CONFIG_AUDITSYSCALL=y really required for pam_systemd.so th...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Linux
Classification:	Unclassified
Component:	[OLD] Core system (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo systemd Team

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-04-01 08:26 UTC by Ulenrich
Modified:	2014-06-11 15:13 UTC (History)
CC List:	1 user (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ulenrich 2014-04-01 08:26:29 UTC

I have my kernel .config set to  CONFIG_AUDIT=n
because I wanted to play with containers and systemd-212 README states:
---
        Note that kernel auditing is broken when used with systemd's
        container code. When using systemd in conjunction with
        containers, please make sure to either turn off auditing at
        runtime using the kernel command line option "audit=0", or
        turn it off at kernel compile time using:
          CONFIG_AUDIT=n
---
But there is a warning poping up from the ebuild saying I should set it to yes.
Perhaps the warning was outdated?
Or the upstream systemd README is outdated?

Comment 1 Samuli Suominen (RETIRED) gentoo-dev

2014-04-01 08:58:09 UTC

well, CONFIG_AUDITSYSCALL=y is required for /proc/<pid>/sessionid, and sessionid is used by the pam_systemd.so module when not using display manager, ie. for tracking user from text login -> to console -> to startx -> to X11

this dependency is inherited from sys-auth/consolekit, which uses same thing for pam_ck_connector.so

so, unless pam_systemd.so has evolved in a way sessionid is no longer required in /proc, it is still required

last time I brought this up with systemd upstream maintainer, he said he considers it optional because it's only used by logind, and only when not using "proper" display manager, and even then there was some cases it works (can't remember how)

i guess it's easy to test and verify, if user is seen as 'active user' by logind, even without audit support in kernel, when using text login & startx, ...

Comment 2 Samuli Suominen (RETIRED) gentoo-dev

2014-06-04 09:33:59 UTC

#gentoo-systemd from today,

09:55 < grawity> though latest logind releases do not require that anymore (Arch turned off CONFIG_AUDIT completely a month ago); it gets all information from cgroups of the process

So it seems CONFIG_AUDITSYSCALL check should be removed from at least >=sys-apps/systemd-213 and this bug be closed with it

Comment 3 Samuli Suominen (RETIRED) gentoo-dev

2014-06-04 09:35:26 UTC

That also means that some arches that have USE="pam" *use.masked in their profiles because of missing CONFIG_AUDITSYSCALL, can now be unmasked:

arch/mips/package.use.mask:sys-apps/systemd pam
arch/alpha/package.use.mask:sys-apps/systemd pam

Those entries can be removed then too

Comment 4 Mike Gilbert gentoo-dev

2014-06-11 15:13:21 UTC

+  11 Jun 2014; Mike Gilbert <floppym@gentoo.org> systemd-213.ebuild,
+  systemd-9999.ebuild:
+  Drop CONFIG_AUDITSYSCALL check, bug 506418.