From: Daniel J Walsh <dwalsh@redhat.com>
To: Stephen Smalley <sds@tycho.nsa.gov>
Cc: SE Linux <selinux@tycho.nsa.gov>
Subject: Auditallow execmem
Date: Mon, 09 Jan 2006 11:09:03 -0500 [thread overview]
Message-ID: <43C28A9F.2070600@redhat.com> (raw)
Currently there are too many applications that need execmem, to turn off
allow_execmem by default. So I changed the policy
to auditallow execmem if there allow_execmem is set. This allows us to
at least discover applications in targeted policy that need
this priv, and then submit bugzillas for those apps, or fix policy to
allow them if it really is needed. The problem is that these messages
are not rate limited so you can end up with hundreds or thousands of
these messages in the log file. What do you think about limiting
auditallow message to once similar to the way we do in permissive mode?
Since this is by it's nature permissive. IE One pessage per PID.
type=AVC msg=audit(1136817016.558:1419): avc: granted { execmem } for
pid=2774 comm="firefox-bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1136817512.277:1420): avc: granted { execmem } for
pid=3208 comm="soffice.bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1136818328.051:1421): avc: granted { execmem } for
pid=3208 comm="soffice.bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1136819443.464:1428): avc: granted { execmem } for
pid=3208 comm="soffice.bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1136820377.510:1429): avc: granted { execmem } for
pid=3208 comm="soffice.bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1136821309.091:1435): avc: granted { execmem } for
pid=3208 comm="soffice.bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
type=AVC msg=audit(1136822165.482:1438): avc: granted { execmem } for
pid=3208 comm="soffice.bin" scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
...
Dan
--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.
next reply other threads:[~2006-01-09 16:09 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2006-01-09 16:09 Daniel J Walsh [this message]
2006-01-09 16:37 ` Auditallow execmem Stephen Smalley
2006-01-09 17:27 ` Joshua Brindle
2006-01-09 17:30 ` Steve G
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=43C28A9F.2070600@redhat.com \
--to=dwalsh@redhat.com \
--cc=sds@tycho.nsa.gov \
--cc=selinux@tycho.nsa.gov \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.