On Mon, 2017-02-13 at 16:18 +0100, Tobias Markus wrote: > On Sun, 2017-02-12 at 23:13 +0100, Nicolas Iooss wrote: > > On Sun, Feb 12, 2017 at 6:43 PM, Tobias Markus <tobias@xxxxxxxxx> > > wrote: > > > > > Hi, > > > > > > As some of you might know, the question of enabling SELinux > > > support in > > > the official Arch Linux kernel package has been brought up a > > > number of > > > times. The main issue that has been pointed out the previous time > > > was > > > that enabling SELinux depends on CONFIG_AUDIT which is considered > > > unnecessary or even harmful for most desktop users since it > > > generates a > > > flood of kernel log messages. > > > > > > > Hi, > > Do you have more information about this unwanted flood of messages? > > From my > > personal experience on systems with SELinux and audit, the > > application > > which produces the biggest number of audit events is Chromium, > > because of > > misconfigured seccomp rules that report in audit log every call to > > set_robust_list(). This has been reported two years ago on Chromium > > bug > > tracker and the developers seem unwilling to fix it ( > > https://bugs.chromium.org/p/chromium/issues/detail?id=456535). If > > there are > > similar problems which need to be fixed before thinking of enabling > > audit > > compilation in Arch Linux kernel, where can I find information on > > them? > > > > Regards, > > Nicolas > > Hi Nicolas, > > I have also seen a flood of audit messages arising from Chromium. > However, the configuration I propose would not actually enable audit > by default, > i.e. unless you explicitly set "audit=1" in the bootloader's kernel > command > line, the audit subsystem will be disabled and thus silent. In other > words, if > you don't want to use SELinux/audit, the impact should be minimal. > > Since the Chromium bug you mentioned is an application bug, I don't > think it > should hinder enabling the audit option, especially since audit would > be opt-in. It's not a bug. It's intentional hardening... and is correct. > The reason for Chromium's message floods is that Chromium create quite > a lot of > processes and (as written in the bug report you mentioned) > set_robust_list is > called during that. So floods of audit messages should be rather > atypical. > > Greetings > Tobias
Attachment:
signature.asc
Description: This is a digitally signed message part
