Enabling CONFIG_AUDIT* is needed by auditd and should be safe whether systemd
is used or not and is not specific to SELinux.
Note that systemd README has this old caveat mentioned
| Note that kernel auditing is broken when used with systemd's
| container code. When using systemd in conjunction with
| containers, please make sure to either turn off auditing at
| runtime using the kernel command line option "audit=0", or
| turn it off at kernel compile time using:
| CONFIG_AUDIT=n
| If systemd is compiled with libseccomp support on
| architectures which do not use socketcall() and where seccomp
| is supported (this effectively means x86-64 and ARM, but
| excludes 32-bit x86!), then nspawn will now install a
| work-around seccomp filter that makes containers boot even
| with audit being enabled. This works correctly only on kernels
| 3.14 and newer though. TL;DR: turn audit off, still.
But that seems to only apply to nspawn usage in some specific cases and on
older kernels, plus there are even runtime workarounds available when needed,
so let's enable it by default.
Bug-AGL: SPEC-4627
Change-Id: I5fcd58ba41929d2966fadea27b6751e4fa6589c9
Signed-off-by: Denys Dmytriyenko <denys@konsulko.com>
Reviewed-on: https://gerrit.automotivelinux.org/gerrit/c/AGL/meta-agl/+/28276
Tested-by: Jenkins Job builder account
ci-image-build: Jenkins Job builder account
ci-image-boot-test: Jenkins Job builder account
Reviewed-by: Jan-Simon Moeller <jsmoeller@linuxfoundation.org>
can-bus.cfg \
fanotify.cfg \
overlayfs.cfg \
+ audit.cfg \
${@bb.utils.contains('DISTRO_FEATURES', 'selinux', 'selinux.cfg', '', d)} \
${@bb.utils.contains('DISTRO_FEATURES', 'systemd', 'systemd-required.cfg', '', d)} \
"
--- /dev/null
+CONFIG_AUDIT=y
+CONFIG_AUDIT_GENERIC=y
-CONFIG_AUDIT=y
-CONFIG_AUDIT_GENERIC=y
CONFIG_NETWORK_SECMARK=y
CONFIG_EXT2_FS_SECURITY=y
CONFIG_EXT3_FS_SECURITY=y
Code Review / AGL / meta-agl.git / commitdiff