Re: Turn off SELinux "avc: granted" logging

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

J. K. Cliburn wrote:

Recently I waded into the deep end of the SELinux pool by configuring
it to enforce targeted policy.  Unfortunately I get a seemingly
endless quantity of "avc: granted" messages in my syslog, especially
when I do something like mindlessly playing a java-based poker game. Seems to me it'd be fine if it logged only "avc: denied" events. Is 
there a way to configure things to do just that?  Am I shunting the
security intent of SELinux by doing so?

Sample log of java_vm session (about 35 seconds wall time):
Apr 3 18:57:44 localhost kernel: audit(1144108664.329:1030): avc: granted { execmem } for pid=32484 comm="java_vm" 
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Apr 3 18:57:49 localhost kernel: audit(1144108669.354:1031): avc: granted { execmem } for pid=32484 comm="java_vm" 
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Apr 3 18:57:49 localhost kernel: audit(1144108669.978:1032): avc: granted { execmem } for pid=32484 comm="java_vm" 
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Apr 3 18:57:53 localhost kernel: audit(1144108673.818:1033): avc: granted { execmem } for pid=32484 comm="java_vm" 
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Apr 3 18:57:59 localhost kernel: audit(1144108679.598:1034): avc: granted { execmem } for pid=32484 comm="java_vm" 
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Apr 3 18:58:01 localhost kernel: audit(1144108681.606:1035): avc: granted { execmem } for pid=32484 comm="java_vm" 
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Apr 3 18:58:05 localhost kernel: audit(1144108685.787:1036): avc: granted { execmem } for pid=32484 comm="java_vm" 
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process


Thanks,
Jay


Where is the java executable located?  If you execute
chcon -t java_exec_t  JAVAPATH

Your execmem warnings should go away.

Dan
[Index of Archives]     [Current Fedora Users]     [Fedora Desktop]     [Fedora SELinux]     [Yosemite News]     [Yosemite Photos]     [KDE Users]     [Fedora Tools]     [Fedora Docs]

  Powered by Linux