Turn off SELinux "avc: granted" logging
Matthew Saltzman
mjs at ces.clemson.edu
Tue Apr 4 19:41:32 UTC 2006
On Tue, 4 Apr 2006, J. K. Cliburn wrote:
> On 4/3/06, J. K. Cliburn <jcliburn at gmail.com> wrote:
>> endless quantity of "avc: granted" messages in my syslog,
>
>> Apr 3 18:57:44 localhost kernel: audit(1144108664.329:1030): avc:
>> granted { execmem } for pid=32484 comm="java_vm"
>> scontext=user_u:system_r:unconfined_t:s0
>> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
>
> Well, at least now I understand why I'm seeing all the avc: granted
> messages. It's a feature.
>
>> From http://fedoraproject.org/wiki/SELinux/FC5Features
>
> [QUOTE]
> We have started confining Userspace from these access checks, in
> Fedora Core 5. This is the beginning of allowing an administrator to
> confine userspace from malicious code. execmem and execstack by
> default are still allowed although you will see AVC granted messages
> in your log file. You can turn off these booleans and tighten your
> security by executing.
>
> setsebool -P allow_execmem=0 allow_execstack=0
>
> We left these on, because of certain applications that were built
> incorrectly and need these privileges, especially the web browser
> plugins.
>
> We have worked hard to clean up all code shipped in Fedora to
> eliminate the need for these priviledges. If you see the granted
> message in your log files, you should open a bugzilla on those apps
> that require it, and copy me. :^)
> [/QUOTE]
>
> Am I to understand that I should open a bug for every avc: granted
> message in my syslog, as indicated by the last paragraph above?
That's how I would read it. But file it against the application that
causes the message. I'm sure there will be many duplicates.
--
Matthew Saltzman
Clemson University Math Sciences
mjs AT clemson DOT edu
http://www.math.clemson.edu/~mjs
More information about the users
mailing list