[arch-general] Revisiting the SELinux/audit question: Disabling audit on the kernel command line

Nicolas Iooss nicolas.iooss at m4x.org
Sun Feb 12 22:13:43 UTC 2017


On Sun, Feb 12, 2017 at 6:43 PM, Tobias Markus <tobias at miglix.eu> wrote:

> Hi,
>
> As some of you might know, the question of enabling SELinux support in
> the official Arch Linux kernel package has been brought up a number of
> times. The main issue that has been pointed out the previous time was
> that enabling SELinux depends on CONFIG_AUDIT which is considered
> unnecessary or even harmful for most desktop users since it generates a
> flood of kernel log messages.
>

Hi,
Do you have more information about this unwanted flood of messages? From my
personal experience on systems with SELinux and audit, the application
which produces the biggest number of audit events is Chromium, because of
misconfigured seccomp rules that report in audit log every call to
set_robust_list(). This has been reported two years ago on Chromium bug
tracker and the developers seem unwilling to fix it (
https://bugs.chromium.org/p/chromium/issues/detail?id=456535). If there are
similar problems which need to be fixed before thinking of enabling audit
compilation in Arch Linux kernel, where can I find information on them?

Regards,
Nicolas


More information about the arch-general mailing list