Bug#1015969: kscreenlocker_greet: missing audit_write capability

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1015969: kscreenlocker_greet: missing audit_write capability
From: Christian Göttsche <cgzones@googlemail.com>
Date: Sun, 24 Jul 2022 17:19:07 +0200
Message-id: <[🔎] CAJ2a_Dd1cVv6EXvFWaNVAFJqz3vQ8tSKM_kTXjoGKv4BaEZRLw@mail.gmail.com>
Reply-to: Christian Göttsche <cgzones@googlemail.com>, 1015969@bugs.debian.org

Package: libkscreenlocker5
Version: 5.25.3-1
Severity: important


kscreenlocker_greet needs the capability AUDIT_WRITE to be able to
issue audit events on unlock, like:

    Jaudit[31282]: USER_AUTH pid=31282 uid=1000 auid=1000 ses=30
subj=xuser_u:xuser_r:kscreenlocker_greet_t:s0
msg='op=PAM:authentication grantors=pam_permit,pam_cap
acct="christian"
exe="/usr/lib/x86_64-linux-gnu/libexec/kscreenlocker_greet" hostnam>

Maybe add something like the following to postinst:

    # Set the capabilities
    if command -v setcap > /dev/null && setcap "CAP_AUDIT_WRITE=+ep"
/usr/lib/$(ARCH)/libexec/kscreenlocker_greet; then
        echo "Successfully set capabilities for kscreenlocker_greet"
    else
        echo "Failed to set capabilities for kscreenlocker_greet" >&2
    fi

Reply to:

Prev by Date: krita is marked for autoremoval from testing
Next by Date: Bug#1015972: k3b: CD fails to burn, even with correct permissions
Previous by thread: krita is marked for autoremoval from testing
Next by thread: Bug#1015972: k3b: CD fails to burn, even with correct permissions
Index(es):
- Date
- Thread