Have you tried tuning auditd and its dispatcher which could be audispd ? So for example, try feeding audispd with the following options: q_depth: increase it from its default value (which is 80 on Redhat's recent auditd) priority_boost = 0 Finally, if things don't improve, you could also try: overflow_action = suspend Other than this I don't know how to help. Good luck. On Sun, 2009-12-13 at 10:11 -0800, Justin P. Mattock wrote: > On 12/13/09 08:42, Guido Trentalancia wrote: > > Justin, > > > > your question seems more of an audit question. > > > > Why don't you use audit2allow to sort this out from a SELinux point of > > view instead than trying to shut up audit ? > > > > Audit2allow can generate custom rules for you from the analysis of your > > audit log messages. The rules can then be compiled into a custom policy > > module, that you can install with semodule. > > > > > > I can easily create an allow rule with audit2allow. > > The issue is not creating an allow rule, > but having Xorg.0.log spammed with a denial > causing the system to freeze up, until > the avc is done doing with whatever it's doing > (in this case logging many denials of the same one). > > hence the reason for wondering if theres a mechanism that could > be put in place like prinkt_ratelimit for > Xorg.0.log this way I don't get spammed with a denial. > > Justin P. Mattock > > > > -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
