On Tue, 4 Apr 2006, J. K. Cliburn wrote:
On 4/3/06, J. K. Cliburn <jcliburn@xxxxxxxxx> wrote:
endless quantity of "avc: granted" messages in my syslog,
Apr 3 18:57:44 localhost kernel: audit(1144108664.329:1030): avc:
granted { execmem } for pid=32484 comm="java_vm"
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Well, at least now I understand why I'm seeing all the avc: granted
messages. It's a feature.
From http://fedoraproject.org/wiki/SELinux/FC5Features
[QUOTE]
We have started confining Userspace from these access checks, in
Fedora Core 5. This is the beginning of allowing an administrator to
confine userspace from malicious code. execmem and execstack by
default are still allowed although you will see AVC granted messages
in your log file. You can turn off these booleans and tighten your
security by executing.
setsebool -P allow_execmem=0 allow_execstack=0
We left these on, because of certain applications that were built
incorrectly and need these privileges, especially the web browser
plugins.
We have worked hard to clean up all code shipped in Fedora to
eliminate the need for these priviledges. If you see the granted
message in your log files, you should open a bugzilla on those apps
that require it, and copy me. :^)
[/QUOTE]
Am I to understand that I should open a bug for every avc: granted
message in my syslog, as indicated by the last paragraph above?
That's how I would read it. But file it against the application that
causes the message. I'm sure there will be many duplicates.
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs
