proc_loginuid_write() checks wrong capability?

Hi, Looking at the code for proc_loginuid_write() in Linus' git tree, the capability CAP_AUDIT_CONTROL is needed to write to /proc/pid/loginuid and generate LOGIN type records. This seems to run counter to the capabilities(7) manpage, which suggests that CAP_AUDIT_CONTROL is to "Enable and disable kernel auditing; change auditing filter rules; retrieve auditing status and filtering rules", whereas CAP_AUDIT_WRITE is to "Allow records to be written to kernel auditing log." Should the following patch be applied, or am I misunderstanding something? It doesn't seem quite right that anything that makes use of pam_loginuid.so should need to be granted the capability that allows enabling and disabling kernel auditing or changing filter rules. Signed-off-by: Steve Beattie <sbeattie(a)suse.de&gt; --- fs/proc/base.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) Index: kernel-linus/fs/proc/base.c =================================================================== --- kernel-linus.orig/fs/proc/base.c +++ kernel-linus/fs/proc/base.c @@ -741,7 +741,7 @@ static ssize_t proc_loginuid_write(struc ssize_t length; uid_t loginuid; - if (!capable(CAP_AUDIT_CONTROL)) + if (!capable(CAP_AUDIT_WRITE)) return -EPERM; if (current != pid_task(proc_pid(inode), PIDTYPE_PID)) Thanks. -- Steve Beattie SUSE Labs, Novell Inc. <sbeattie(a)suse.de&gt; http://NxNW.org/~steve/