Andrew Jones wrote: > (Apologies in advance for the length of this mail. I am a total noob at > SELinux so my vocabulary is probably not correct. Hopefully you will be > able to understand from context what I am trying to say.) > > I have been setting up x11vnc on some of my machines. It looks like > there are a hundred different ways of setting it up but I have chosen to > follow the spirit of this entry in the Fedora Forum: > > http://forums.fedoraforum.org/showpost.php?p=1448696&postcount=2 > > This works with SELinux permissive but fails completely when enforcing. > > Even when running permissively there are so many SELinux events in the > first few seconds that many are dropped as shown here: > > Jan 29 03:44:10 ecafe audispd: queue is full - dropping event > > After several hours of scouring the system log, running sealert and > creating policies, rinsing and repeating I think I have generated the > command line that will identify all the events which occur during an > x11vnc session: > > egrep ps\|x11vnc\|tcpd\|mission-control /var/log/audit/audit.log | > audit2allow -M mypol > > By repetitively running that line, applying the generated policy then > restarting the computer and launching a new vnc session eventually all > the events are able to be recorded without filling the queue. > Andrew, First of all, how did you install x11vnc? Did you use yum, or is this from a tarball. You should ALWAYS prefer yum install, since this will get all dependencies, and install policy as part of the package. Secondly, you should be looking at what it wants to do. For example, the fact that mcelog is in there worries me, a *lot*, since mcelog records ->hardware errors<-, meaning that you could be having hardware issues. Third, read the man page for audit2allow. It tells you how to convert from text policy to compiled and install it. It's not complicated. Fourth, the "dropped" indicates that there are so many errors the queue can't keep up. From an old closed bug, one note for this problem is: -b 8192 in auditd.conf priority_boost = 4 in auditd.conf priority_boost = 8 in audispd.conf q_depth = 2048 in audispd.conf mark -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
