Remove RefuseManualStop=yes from systemd unit?

[mikhailnov]

auditd.service has the following line: RefuseManualStop=yes It makes systemctl stop auditd not work, but systemctl kill auditd still works. It is not good to force users to stop the daemon by SIGKILL instead of a normal stop.

It was introduced by commit https://github.com/linux-audit/audit-userspace/commit/e94faad18f13da6acc183e98d51d1a93cdc24c03 9 years ago, but I cannot understand why it is needed. I think RefuseManualStop=yes can be removed nowadays.

[stevegrubb]

It is needed because there are requirements to associate any user interacting with the audit system in audit events. When you use systemctl, it uses dbus to talk to systemd, which in turn sends a signal to auditd. Auditd asks the kernel who did this and it says no one instead of the user. That is wrong.

If you use the service command, it sends the signal directly in the user context and then auditd asks the kernel who did that and it reports the correct user id. I have asked for changes to systemctl for years and they refuse to make any changes. So, you should use the service command unless systemd makes changes.

[mikhailnov]

Thanks for explaining! But systemctl kill auditd still allows to kill the daemon...

[stevegrubb]

That would be a bug in systemctl. They probably say they have to do this for emergency purposes on system shutdown.

[mikhailnov]

Ok. I see your point. Thanks for explaining.

[stevegrubb]

auditctl --signal stop was created earlier this year to avoid using the service command. This is the best we can do right now.