On Sun, 2017-02-12 at 23:13 +0100, Nicolas Iooss wrote: > On Sun, Feb 12, 2017 at 6:43 PM, Tobias Markus <tob...@miglix.eu> wrote: > > > Hi, > > > > As some of you might know, the question of enabling SELinux support in > > the official Arch Linux kernel package has been brought up a number of > > times. The main issue that has been pointed out the previous time was > > that enabling SELinux depends on CONFIG_AUDIT which is considered > > unnecessary or even harmful for most desktop users since it generates a > > flood of kernel log messages. > > > > Hi, > Do you have more information about this unwanted flood of messages? From my > personal experience on systems with SELinux and audit, the application > which produces the biggest number of audit events is Chromium, because of > misconfigured seccomp rules that report in audit log every call to > set_robust_list(). This has been reported two years ago on Chromium bug > tracker and the developers seem unwilling to fix it ( > https://bugs.chromium.org/p/chromium/issues/detail?id=456535). If there are > similar problems which need to be fixed before thinking of enabling audit > compilation in Arch Linux kernel, where can I find information on them? > > Regards, > Nicolas
Hi Nicolas, I have also seen a flood of audit messages arising from Chromium. However, the configuration I propose would not actually enable audit by default, i.e. unless you explicitly set "audit=1" in the bootloader's kernel command line, the audit subsystem will be disabled and thus silent. In other words, if you don't want to use SELinux/audit, the impact should be minimal. Since the Chromium bug you mentioned is an application bug, I don't think it should hinder enabling the audit option, especially since audit would be opt-in. The reason for Chromium's message floods is that Chromium create quite a lot of processes and (as written in the bug report you mentioned) set_robust_list is called during that. So floods of audit messages should be rather atypical. Greetings Tobias