auditd and CAP_AUDIT_READ

Hi Steve, In commit 183775f155cb96d8012c2d493041a03f1b825b2f ("Do capabilities check rather than uid") a switch was made from checking "getuid() != 0" to checking CAP_AUDIT_CONTROL and CAP_AUDIT_READ via audit_can_control() and audit_can_read(). Does auditd use the multicast socket? If not, there is no need for it to check or have CAP_AUDIT_READ. Having audit_can_read() available in lib/libaudit.c is certainly useful regardless for other potential libaudit users like systemd. - RGB -- Richard Guy Briggs <rgb(a)redhat.com&gt; Sr. S/W Engineer, Kernel Security, Base Operating Systems Remote, Ottawa, Red Hat Canada IRC: rgb, SunRaycer Voice: +1.647.777.2635, Internal: (81) 32635