On Fri, May 8, 2015 at 8:57 AM, Stephen Smalley <sds@xxxxxxxxxxxxx> wrote: > On 05/08/2015 04:46 AM, Zhi Xin wrote: >> Thanks for details information! >> >> For the switch question, I get your point. logd.auditd is the switch of whether logd can record selinux audit log. But I'm looking for the switch of ratelimit. I mean, removing ratelimit is really helpful for selinux debugging, especially in bringup stage. But meanwhile, removing it just opens the gate for potential DOS. So should we have a simple command that can disable ratelimit during bringup debugging and enable it for release. Just like we can switch to permissive mode by setenforce 0. > > For this, you'd need an audit boot parameter in order to fully disable > the printk ratelimit even before logd starts. So it would require a > kernel patch to define such a parameter. There are existing audit boot > parameters for enabling/disabling audit (audit=0|1) and for setting the > backlog limit (audit_backlog_limit=N). Those are defined in > kernel/audit.c via __setup() calls. You could add an audit_ratelimit=N > and/or an audit_printk_ratelimit=0|1 boot parameters. For the record, I don't have a problem with accepting a patch that added a boot parameter to control the audit ratelimit. -- paul moore www.paul-moore.com _______________________________________________ Selinux mailing list Selinux@xxxxxxxxxxxxx To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx. To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
