[arch-general] Revisiting the SELinux/audit question: Disabling audit on the kernel command line

Tobias Markus tobias at miglix.eu
Mon Feb 13 15:18:17 UTC 2017


On Sun, 2017-02-12 at 23:13 +0100, Nicolas Iooss wrote:
> On Sun, Feb 12, 2017 at 6:43 PM, Tobias Markus <tobias at miglix.eu> wrote:
> 
> > Hi,
> > 
> > As some of you might know, the question of enabling SELinux support in
> > the official Arch Linux kernel package has been brought up a number of
> > times. The main issue that has been pointed out the previous time was
> > that enabling SELinux depends on CONFIG_AUDIT which is considered
> > unnecessary or even harmful for most desktop users since it generates a
> > flood of kernel log messages.
> > 
> 
> Hi,
> Do you have more information about this unwanted flood of messages? From my
> personal experience on systems with SELinux and audit, the application
> which produces the biggest number of audit events is Chromium, because of
> misconfigured seccomp rules that report in audit log every call to
> set_robust_list(). This has been reported two years ago on Chromium bug
> tracker and the developers seem unwilling to fix it (
> https://bugs.chromium.org/p/chromium/issues/detail?id=456535). If there are
> similar problems which need to be fixed before thinking of enabling audit
> compilation in Arch Linux kernel, where can I find information on them?
> 
> Regards,
> Nicolas

Hi Nicolas,

I have also seen a flood of audit messages arising from Chromium.
However, the configuration I propose would not actually enable audit by default,
i.e. unless you explicitly set "audit=1" in the bootloader's kernel command
line, the audit subsystem will be disabled and thus silent. In other words, if
you don't want to use SELinux/audit, the impact should be minimal.

Since the Chromium bug you mentioned is an application bug, I don't think it
should hinder enabling the audit option, especially since audit would be opt-in.

The reason for Chromium's message floods is that Chromium create quite a lot of
processes and (as written in the bug report you mentioned) set_robust_list is
called during that. So floods of audit messages should be rather atypical.

Greetings
Tobias


More information about the arch-general mailing list