From: Maxime Chevallier <maxime.chevallier@bootlin.com>
To: buildroot@busybox.net
Subject: [Buildroot] [PATCH] package/refpolicy: Add option to disable "dontaudit" rules
Date: Wed, 27 Jan 2021 10:56:27 +0100 [thread overview]
Message-ID: <20210127095627.789080-1-maxime.chevallier@bootlin.com> (raw)
Some rules in the refpolicy are declared with "dontaudit", effectively
suppressing any AVC violation log, while still denying the actions.
This is useful in some cases, where denied actions are to be expected
but won't prevent the system from operating.
However in some other cases, the suppressed logs are important to
troubleshoot some issues.
Disabling the "dontaudit" rules can be done either from the running
system by rebuilding the policy with "semodules -DB", or when initialy
building the policy by using the "enableaudit" make target.
This commit allows building the refpolicy with the "enableaudit" target
prior to installing it, thanks to a dedicated config option.
Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
---
package/refpolicy/Config.in | 14 ++++++++++++++
package/refpolicy/refpolicy.mk | 6 +++++-
2 files changed, 19 insertions(+), 1 deletion(-)
diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
index c529b85e1d..d6e195e8f8 100644
--- a/package/refpolicy/Config.in
+++ b/package/refpolicy/Config.in
@@ -111,6 +111,20 @@ config BR2_REFPOLICY_EXTRA_MODULES
endif
+config BR2_REFPOLICY_DISABLE_DONTAUDIT
+ bool "Disable dontaudit"
+ help
+ Builds the refpolicy with the "dontaudit" rules disabled.
+ This will trigger unseen, and probably unharmful audit logs that are
+ explicitely silenced otherwise. This option can be helpful for
+ debugging purposes, should a silenced message cause a real issue
+ that would otherwise be hard to troubleshoot.
+
+ This option should be used for debugging purposes only, due to
+ the amount of avc logs it generates.
+
+ If unsure, select n.
+
endif
comment "refpolicy needs a toolchain w/ threads"
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index 0194708b37..7e78413a71 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -34,6 +34,9 @@ REFPOLICY_MAKE = \
$(TARGET_MAKE_ENV) \
$(MAKE1)
+REFPOLICY_EXTRA_MAKE_INSTALL_TARGETS = \
+ $(if $(BR2_REFPOLICY_DISABLE_DONTAUDIT),enableaudit)
+
REFPOLICY_POLICY_VERSION = $(BR2_PACKAGE_LIBSEPOL_POLICY_VERSION)
REFPOLICY_POLICY_STATE = \
$(call qstrip,$(BR2_PACKAGE_REFPOLICY_POLICY_STATE))
@@ -122,7 +125,8 @@ define REFPOLICY_INSTALL_STAGING_CMDS
endef
define REFPOLICY_INSTALL_TARGET_CMDS
- $(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(TARGET_DIR) install
+ $(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(TARGET_DIR) \
+ $(REFPOLICY_EXTRA_MAKE_INSTALL_TARGETS) install
$(INSTALL) -m 0755 -D package/refpolicy/config \
$(TARGET_DIR)/etc/selinux/config
$(SED) "/^SELINUX=/c\SELINUX=$(REFPOLICY_POLICY_STATE)" \
--
2.25.4
next reply other threads:[~2021-01-27 9:56 UTC|newest]
Thread overview: 4+ messages / expand[flat|nested] mbox.gz Atom feed top
2021-01-27 9:56 Maxime Chevallier [this message]
2021-01-27 10:01 ` [Buildroot] [PATCH] package/refpolicy: Add option to disable "dontaudit" rules Thomas Petazzoni
2021-01-27 10:34 ` Antoine Tenart
2021-01-27 14:40 ` Maxime Chevallier
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20210127095627.789080-1-maxime.chevallier@bootlin.com \
--to=maxime.chevallier@bootlin.com \
--cc=buildroot@busybox.net \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.