Turn off SELinux "avc: granted" logging

Daniel J Walsh dwalsh at redhat.com
Tue Apr 4 12:13:08 UTC 2006 

J. K. Cliburn wrote:
> Recently I waded into the deep end of the SELinux pool by configuring
> it to enforce targeted policy.  Unfortunately I get a seemingly
> endless quantity of "avc: granted" messages in my syslog, especially
> when I do something like mindlessly playing a java-based poker game. 
> Seems to me it'd be fine if it logged only "avc: denied" events.  Is
> there a way to configure things to do just that?  Am I shunting the
> security intent of SELinux by doing so?
>
> Sample log of java_vm session (about 35 seconds wall time):
>
> Apr  3 18:57:44 localhost kernel: audit(1144108664.329:1030): avc: 
> granted  { execmem } for  pid=32484 comm="java_vm"
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> Apr  3 18:57:49 localhost kernel: audit(1144108669.354:1031): avc: 
> granted  { execmem } for  pid=32484 comm="java_vm"
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> Apr  3 18:57:49 localhost kernel: audit(1144108669.978:1032): avc: 
> granted  { execmem } for  pid=32484 comm="java_vm"
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> Apr  3 18:57:53 localhost kernel: audit(1144108673.818:1033): avc: 
> granted  { execmem } for  pid=32484 comm="java_vm"
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> Apr  3 18:57:59 localhost kernel: audit(1144108679.598:1034): avc: 
> granted  { execmem } for  pid=32484 comm="java_vm"
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> Apr  3 18:58:01 localhost kernel: audit(1144108681.606:1035): avc: 
> granted  { execmem } for  pid=32484 comm="java_vm"
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
> Apr  3 18:58:05 localhost kernel: audit(1144108685.787:1036): avc: 
> granted  { execmem } for  pid=32484 comm="java_vm"
> scontext=user_u:system_r:unconfined_t:s0
> tcontext=user_u:system_r:unconfined_t:s0 tclass=process
>
>
> Thanks,
> Jay
>
>   
Where is the java executable located?  If you execute
chcon -t java_exec_t  JAVAPATH

Your execmem warnings should go away.

Dan

More information about the fedora-list mailing list