[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: Turn off SELinux "avc: granted" logging



J. K. Cliburn wrote:
Recently I waded into the deep end of the SELinux pool by configuring
it to enforce targeted policy.  Unfortunately I get a seemingly
endless quantity of "avc: granted" messages in my syslog, especially
when I do something like mindlessly playing a java-based poker game. Seems to me it'd be fine if it logged only "avc: denied" events. Is
there a way to configure things to do just that?  Am I shunting the
security intent of SELinux by doing so?

Sample log of java_vm session (about 35 seconds wall time):

Apr 3 18:57:44 localhost kernel: audit(1144108664.329:1030): avc: granted { execmem } for pid=32484 comm="java_vm"
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Apr 3 18:57:49 localhost kernel: audit(1144108669.354:1031): avc: granted { execmem } for pid=32484 comm="java_vm"
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Apr 3 18:57:49 localhost kernel: audit(1144108669.978:1032): avc: granted { execmem } for pid=32484 comm="java_vm"
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Apr 3 18:57:53 localhost kernel: audit(1144108673.818:1033): avc: granted { execmem } for pid=32484 comm="java_vm"
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Apr 3 18:57:59 localhost kernel: audit(1144108679.598:1034): avc: granted { execmem } for pid=32484 comm="java_vm"
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Apr 3 18:58:01 localhost kernel: audit(1144108681.606:1035): avc: granted { execmem } for pid=32484 comm="java_vm"
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Apr 3 18:58:05 localhost kernel: audit(1144108685.787:1036): avc: granted { execmem } for pid=32484 comm="java_vm"
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process


Thanks,
Jay

Where is the java executable located?  If you execute
chcon -t java_exec_t  JAVAPATH

Your execmem warnings should go away.

Dan


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]