Re: Turn off SELinux "avc: granted" logging

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Tue, 4 Apr 2006, J. K. Cliburn wrote:

On 4/3/06, J. K. Cliburn <jcliburn@xxxxxxxxx> wrote:
endless quantity of "avc: granted" messages in my syslog,

Apr  3 18:57:44 localhost kernel: audit(1144108664.329:1030): avc:
granted  { execmem } for  pid=32484 comm="java_vm"
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process

Well, at least now I understand why I'm seeing all the avc: granted
messages.  It's a feature.

From http://fedoraproject.org/wiki/SELinux/FC5Features

[QUOTE]
We have started confining Userspace from these access checks, in
Fedora Core 5. This is the beginning of allowing an administrator to
confine userspace from malicious code. execmem and execstack by
default are still allowed although you will see AVC granted messages
in your log file. You can turn off these booleans and tighten your
security by executing.

setsebool -P allow_execmem=0 allow_execstack=0

We left these on, because of certain applications that were built
incorrectly and need these privileges, especially the web browser
plugins.

We have worked hard to clean up all code shipped in Fedora to
eliminate the need for these priviledges. If you see the granted
message in your log files, you should open a bugzilla on those apps
that require it, and copy me. :^)
[/QUOTE]

Am I to understand that I should open a bug for every avc: granted
message in my syslog, as indicated by the last paragraph above?

That's how I would read it. But file it against the application that causes the message. I'm sure there will be many duplicates.

--
		Matthew Saltzman

Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs


[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux