[Bug 1178154] New: Make reading audit.log as non-root easier
http://bugzilla.opensuse.org/show_bug.cgi?id=1178154 Bug ID: 1178154 Summary: Make reading audit.log as non-root easier Classification: openSUSE Product: openSUSE Tumbleweed Version: Current Hardware: Other OS: Other Status: NEW Severity: Enhancement Priority: P5 - None Component: Security Assignee: security-team@suse.de Reporter: suse-beta@cboltz.de QA Contact: qa-bugs@suse.de Found By: --- Blocker: --- Currently /var/log/audit/audit.log is only readable for root: drwx------ 1 root root 322 25. Okt 21:06 /var/log/audit/ -rw------- 1 root root 1815972 26. Okt 22:23 /var/log/audit/audit.log However, there are use cases where users would benefit from being able to read the audit.log, for example desktop notifications for AppArmor denials (with aa-notify -p, which currently needs sudo). Would it be possible to introduce a group "audit" and change the permissions to drwxr-x--- 1 root audit 322 25. Okt 21:06 /var/log/audit/ -rw-r----- 1 root audit 1815972 26. Okt 22:23 /var/log/audit/audit.log ^^^ ^^^^^ With that, users who want to use aa-notify -p could be added to the "audit" group instead of needing sudo permissions. -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1178154 Christian Boltz <suse-beta@cboltz.de> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |security-team@suse.de, | |tonyj@suse.com Assignee|security-team@suse.de |ematsumiya@suse.com -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1178154 http://bugzilla.opensuse.org/show_bug.cgi?id=1178154#c1 Marcus Rückert <mrueckert@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |mrueckert@suse.com --- Comment #1 from Marcus Rückert <mrueckert@suse.com> --- aa-notify allows creating desktop notifications for apparmor violations. but this tool needs read access to /var/log/audit/audit.log. on option would be to change the permissions of the file and directory to root:audit u=rwX,g=rX,o= then one could add the users to that group and they could run aa-notify. Other options might be having a dbus service that could run as root and inject the messages into dbus and then they could be picked up by the normal notification services running in the desktop environment. Could the security team advice which solution would be preferred to solve the problem? do we have upstream contacts we could use to come to a cross distro solution for this problem? -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1178154 Marcus Rückert <mrueckert@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Flags| |needinfo?(security-team@sus | |e.de) -- You are receiving this mail because: You are on the CC list for the bug.
http://bugzilla.opensuse.org/show_bug.cgi?id=1178154 Tony Jones <tonyj@suse.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC|tonyj@suse.com | -- You are receiving this mail because: You are on the CC list for the bug.
participants (1)
-
bugzilla_noreply@suse.com