One of the reasons I dislike SELinux

September 19, 2006

I have a fixed personal opinion that systems should not spew kernel messages in the course of normal system operation, and especially not over the console. As I am busy finding out, yet again, SELinux fails this test in at least some circumstances on Fedora Core 5.

(Possibly the circumstances were odd, since my FC5 install hadn't managed to run the 'firstboot' stuff due to the un-upgraded X server crashing on this machine's hardware. Still, I brought it up in a normal runlevel 3 multiuser boot and started getting the spew when I did a 'yum update xorg-*'.)

Software should be silent in general logs unless either something is wrong or I have specifically asked for the information to be logged. I have not asked SELinux to natter at me, and if the stock SELinux configuration on a stock Fedora Core 5 machine has something wrong, I don't exactly want to be running it.

The idea that SELinux should log this stuff to kernel logs 'just in case' doesn't scale. SELinux is not the only kernel subsystem that might to log things just in case, and if everyone does it the kernel log buffer would probably roll over in about sixty seconds flat.

The right way to log this sort of just in case information is to put it in some special place, just for it, so that no one has to pay attention if they don't care. And make sure the log gets rolled, too.

Written on 19 September 2006.
« Why /var/log/btmp may be using up a lot of space in your /var
A peculiarity of hardware at universities »

Page tools: View Source, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Tue Sep 19 19:38:10 2006
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.