Turn off SELinux "avc: granted" logging

J. K. Cliburn jcliburn at gmail.com
Tue Apr 4 00:00:28 UTC 2006 

Recently I waded into the deep end of the SELinux pool by configuring
it to enforce targeted policy.  Unfortunately I get a seemingly
endless quantity of "avc: granted" messages in my syslog, especially
when I do something like mindlessly playing a java-based poker game. 
Seems to me it'd be fine if it logged only "avc: denied" events.  Is
there a way to configure things to do just that?  Am I shunting the
security intent of SELinux by doing so?

Sample log of java_vm session (about 35 seconds wall time):

Apr  3 18:57:44 localhost kernel: audit(1144108664.329:1030): avc: 
granted  { execmem } for  pid=32484 comm="java_vm"
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Apr  3 18:57:49 localhost kernel: audit(1144108669.354:1031): avc: 
granted  { execmem } for  pid=32484 comm="java_vm"
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Apr  3 18:57:49 localhost kernel: audit(1144108669.978:1032): avc: 
granted  { execmem } for  pid=32484 comm="java_vm"
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Apr  3 18:57:53 localhost kernel: audit(1144108673.818:1033): avc: 
granted  { execmem } for  pid=32484 comm="java_vm"
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Apr  3 18:57:59 localhost kernel: audit(1144108679.598:1034): avc: 
granted  { execmem } for  pid=32484 comm="java_vm"
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Apr  3 18:58:01 localhost kernel: audit(1144108681.606:1035): avc: 
granted  { execmem } for  pid=32484 comm="java_vm"
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process
Apr  3 18:58:05 localhost kernel: audit(1144108685.787:1036): avc: 
granted  { execmem } for  pid=32484 comm="java_vm"
scontext=user_u:system_r:unconfined_t:s0
tcontext=user_u:system_r:unconfined_t:s0 tclass=process


Thanks,
Jay

More information about the fedora-list mailing list