logging messages

logging messages

[Russell Coker]

People have been asking how to turn off the SE Linux console messages (it gets 
annoying having thousands of messages scrolling by while you're trying to fix 
a problem).

The following command will direct all messages of default priority away from 
the console.  The default is "7 4 1 7".  The second number is the priority of 
default messages, setting it to 7 makes default messages of too low a 
priority to be on the console.
echo "7 7 1 7" > /proc/sys/kernel/printk

It would be good if we had a tunable option in SE Linux to specify the
priority of the messages.

--
http://www.coker.com.au/selinux/   My NSA Security Enhanced Linux packages
http://www.coker.com.au/bonnie++/  Bonnie++ hard drive benchmark
http://www.coker.com.au/postal/    Postal SMTP/POP benchmark
http://www.coker.com.au/~russell/  My home page


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: logging messages

[Stephen Smalley]

On Thu, 2003-04-17 at 09:50, Daniel J Walsh wrote:
> How do I get the kernel to log a message again.  Seems like the SELinux 
> kernel on
> logs a denial message a single time after a reboot.  When I change the 
> policy and
> rerun the offending command I would like to see a new error message in 
> /var/log/messages.
> 
> Is there a way to turn this on?

When in permissive mode, SELinux logs each denial once and then adds the
corresponding permission to the cache so that you don't end up with a
flood of identical messages.  The denial won't show up again until the
cache entry is reclaimed.  You can reset the cache by reloading your
policy (e.g. running 'make reload' in the policy directory) or by
switching into enforcing mode (and then optionally back into permissive
mode) by using 'avc_toggle' (assuming that you are in a domain that can
do this).

When in enforcing mode, SELinux applies a rate limit to audit messages
to avoid flooding attacks.  This is necessary even with benign
applications, because many applications don't bother checking error
codes on certain calls so they will generate a huge stream of repeat
denials.  Long term, we would like to see the SELinux audit data handled
by a separate kernel auditing subsystem rather than the existing logging
facility.

-- 
Stephen Smalley <sds@epoch.ncsc.mil>
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: logging messages

[Daniel J Walsh]

How do I get the kernel to log a message again.  Seems like the SELinux 
kernel on
logs a denial message a single time after a reboot.  When I change the 
policy and
rerun the offending command I would like to see a new error message in 
/var/log/messages.

Is there a way to turn this on?


Dan


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.