[arch-general] Revisiting the SELinux/audit question: Disabling audit on the kernel command line

Daniel Micay danielmicay at gmail.com
Mon Feb 13 18:34:09 UTC 2017


On Mon, 2017-02-13 at 16:18 +0100, Tobias Markus wrote:
> On Sun, 2017-02-12 at 23:13 +0100, Nicolas Iooss wrote:
> > On Sun, Feb 12, 2017 at 6:43 PM, Tobias Markus <tobias at miglix.eu>
> > wrote:
> > 
> > > Hi,
> > > 
> > > As some of you might know, the question of enabling SELinux
> > > support in
> > > the official Arch Linux kernel package has been brought up a
> > > number of
> > > times. The main issue that has been pointed out the previous time
> > > was
> > > that enabling SELinux depends on CONFIG_AUDIT which is considered
> > > unnecessary or even harmful for most desktop users since it
> > > generates a
> > > flood of kernel log messages.
> > > 
> > 
> > Hi,
> > Do you have more information about this unwanted flood of messages?
> > From my
> > personal experience on systems with SELinux and audit, the
> > application
> > which produces the biggest number of audit events is Chromium,
> > because of
> > misconfigured seccomp rules that report in audit log every call to
> > set_robust_list(). This has been reported two years ago on Chromium
> > bug
> > tracker and the developers seem unwilling to fix it (
> > https://bugs.chromium.org/p/chromium/issues/detail?id=456535). If
> > there are
> > similar problems which need to be fixed before thinking of enabling
> > audit
> > compilation in Arch Linux kernel, where can I find information on
> > them?
> > 
> > Regards,
> > Nicolas
> 
> Hi Nicolas,
> 
> I have also seen a flood of audit messages arising from Chromium.
> However, the configuration I propose would not actually enable audit
> by default,
> i.e. unless you explicitly set "audit=1" in the bootloader's kernel
> command
> line, the audit subsystem will be disabled and thus silent. In other
> words, if
> you don't want to use SELinux/audit, the impact should be minimal.
> 
> Since the Chromium bug you mentioned is an application bug, I don't
> think it
> should hinder enabling the audit option, especially since audit would
> be opt-in.

It's not a bug. It's intentional hardening... and is correct.

> The reason for Chromium's message floods is that Chromium create quite
> a lot of
> processes and (as written in the bug report you mentioned)
> set_robust_list is
> called during that. So floods of audit messages should be rather
> atypical.
> 
> Greetings
> Tobias
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 866 bytes
Desc: This is a digitally signed message part
URL: <https://lists.archlinux.org/pipermail/arch-general/attachments/20170213/f80e0d92/attachment.asc>


More information about the arch-general mailing list