On Mon, 2017-02-13 at 16:18 +0100, Tobias Markus wrote:
On Sun, 2017-02-12 at 23:13 +0100, Nicolas Iooss wrote:
On Sun, Feb 12, 2017 at 6:43 PM, Tobias Markus email@example.com wrote:
As some of you might know, the question of enabling SELinux support in the official Arch Linux kernel package has been brought up a number of times. The main issue that has been pointed out the previous time was that enabling SELinux depends on CONFIG_AUDIT which is considered unnecessary or even harmful for most desktop users since it generates a flood of kernel log messages.
Hi, Do you have more information about this unwanted flood of messages? From my personal experience on systems with SELinux and audit, the application which produces the biggest number of audit events is Chromium, because of misconfigured seccomp rules that report in audit log every call to set_robust_list(). This has been reported two years ago on Chromium bug tracker and the developers seem unwilling to fix it ( https://bugs.chromium.org/p/chromium/issues/detail?id=456535). If there are similar problems which need to be fixed before thinking of enabling audit compilation in Arch Linux kernel, where can I find information on them?
I have also seen a flood of audit messages arising from Chromium. However, the configuration I propose would not actually enable audit by default, i.e. unless you explicitly set "audit=1" in the bootloader's kernel command line, the audit subsystem will be disabled and thus silent. In other words, if you don't want to use SELinux/audit, the impact should be minimal.
Since the Chromium bug you mentioned is an application bug, I don't think it should hinder enabling the audit option, especially since audit would be opt-in.
It's not a bug. It's intentional hardening... and is correct.
The reason for Chromium's message floods is that Chromium create quite a lot of processes and (as written in the bug report you mentioned) set_robust_list is called during that. So floods of audit messages should be rather atypical.