All of lore.kernel.org
 help / color / mirror / Atom feed
* [Buildroot] [PATCH] package/refpolicy: Add option to disable "dontaudit" rules
@ 2021-01-27  9:56 Maxime Chevallier
  2021-01-27 10:01 ` Thomas Petazzoni
  0 siblings, 1 reply; 4+ messages in thread
From: Maxime Chevallier @ 2021-01-27  9:56 UTC (permalink / raw)
  To: buildroot

Some rules in the refpolicy are declared with "dontaudit", effectively
suppressing any AVC violation log, while still denying the actions.

This is useful in some cases, where denied actions are to be expected
but won't prevent the system from operating.

However in some other cases, the suppressed logs are important to
troubleshoot some issues.

Disabling the "dontaudit" rules can be done either from the running
system by rebuilding the policy with "semodules -DB", or when initialy
building the policy by using the "enableaudit" make target.

This commit allows building the refpolicy with the "enableaudit" target
prior to installing it, thanks to a dedicated config option.

Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>
---
 package/refpolicy/Config.in    | 14 ++++++++++++++
 package/refpolicy/refpolicy.mk |  6 +++++-
 2 files changed, 19 insertions(+), 1 deletion(-)

diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
index c529b85e1d..d6e195e8f8 100644
--- a/package/refpolicy/Config.in
+++ b/package/refpolicy/Config.in
@@ -111,6 +111,20 @@ config BR2_REFPOLICY_EXTRA_MODULES
 
 endif
 
+config BR2_REFPOLICY_DISABLE_DONTAUDIT
+	bool "Disable dontaudit"
+	help
+	  Builds the refpolicy with the "dontaudit" rules disabled.
+	  This will trigger unseen, and probably unharmful audit logs that are
+	  explicitely silenced otherwise. This option can be helpful for
+	  debugging purposes, should a silenced message cause a real issue
+	  that would otherwise be hard to troubleshoot.
+
+	  This option should be used for debugging purposes only, due to
+	  the amount of avc logs it generates.
+
+	  If unsure, select n.
+
 endif
 
 comment "refpolicy needs a toolchain w/ threads"
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index 0194708b37..7e78413a71 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -34,6 +34,9 @@ REFPOLICY_MAKE = \
 	$(TARGET_MAKE_ENV) \
 	$(MAKE1)
 
+REFPOLICY_EXTRA_MAKE_INSTALL_TARGETS = \
+	$(if $(BR2_REFPOLICY_DISABLE_DONTAUDIT),enableaudit)
+
 REFPOLICY_POLICY_VERSION = $(BR2_PACKAGE_LIBSEPOL_POLICY_VERSION)
 REFPOLICY_POLICY_STATE = \
 	$(call qstrip,$(BR2_PACKAGE_REFPOLICY_POLICY_STATE))
@@ -122,7 +125,8 @@ define REFPOLICY_INSTALL_STAGING_CMDS
 endef
 
 define REFPOLICY_INSTALL_TARGET_CMDS
-	$(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(TARGET_DIR) install
+	$(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(TARGET_DIR) \
+		$(REFPOLICY_EXTRA_MAKE_INSTALL_TARGETS) install
 	$(INSTALL) -m 0755 -D package/refpolicy/config \
 		$(TARGET_DIR)/etc/selinux/config
 	$(SED) "/^SELINUX=/c\SELINUX=$(REFPOLICY_POLICY_STATE)" \
-- 
2.25.4

^ permalink raw reply related	[flat|nested] 4+ messages in thread

* [Buildroot] [PATCH] package/refpolicy: Add option to disable "dontaudit" rules
  2021-01-27  9:56 [Buildroot] [PATCH] package/refpolicy: Add option to disable "dontaudit" rules Maxime Chevallier
@ 2021-01-27 10:01 ` Thomas Petazzoni
  2021-01-27 10:34   ` Antoine Tenart
  0 siblings, 1 reply; 4+ messages in thread
From: Thomas Petazzoni @ 2021-01-27 10:01 UTC (permalink / raw)
  To: buildroot

On Wed, 27 Jan 2021 10:56:27 +0100
Maxime Chevallier <maxime.chevallier@bootlin.com> wrote:

> Some rules in the refpolicy are declared with "dontaudit", effectively
> suppressing any AVC violation log, while still denying the actions.
> 
> This is useful in some cases, where denied actions are to be expected
> but won't prevent the system from operating.
> 
> However in some other cases, the suppressed logs are important to
> troubleshoot some issues.
> 
> Disabling the "dontaudit" rules can be done either from the running
> system by rebuilding the policy with "semodules -DB", or when initialy
> building the policy by using the "enableaudit" make target.
> 
> This commit allows building the refpolicy with the "enableaudit" target
> prior to installing it, thanks to a dedicated config option.
> 
> Signed-off-by: Maxime Chevallier <maxime.chevallier@bootlin.com>

Thanks for the patch!

>  define REFPOLICY_INSTALL_TARGET_CMDS
> -	$(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(TARGET_DIR) install
> +	$(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(TARGET_DIR) \
> +		$(REFPOLICY_EXTRA_MAKE_INSTALL_TARGETS) install

The INSTALL_TARGET_CMDS should normally only *install* the policy. The
policy is built in BUILD_CMDS. In commit
fb2968707bc66afb2c246d92e15f295475f23868, Antoine did some effort to
make sure that the policy gets built in BUILD_CMDS, and not in the
install, so it would be good to keep this behavior.

That being said, I'm not clear between what the "policy" make target
does (invoked in BUILD_CMDS) and what the "enableaudit" make target
does.

Thomas
-- 
Thomas Petazzoni, CTO, Bootlin
Embedded Linux and Kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [Buildroot] [PATCH] package/refpolicy: Add option to disable "dontaudit" rules
  2021-01-27 10:01 ` Thomas Petazzoni
@ 2021-01-27 10:34   ` Antoine Tenart
  2021-01-27 14:40     ` Maxime Chevallier
  0 siblings, 1 reply; 4+ messages in thread
From: Antoine Tenart @ 2021-01-27 10:34 UTC (permalink / raw)
  To: buildroot

Quoting Thomas Petazzoni (2021-01-27 11:01:48)
> On Wed, 27 Jan 2021 10:56:27 +0100
> Maxime Chevallier <maxime.chevallier@bootlin.com> wrote:
> 
> >  define REFPOLICY_INSTALL_TARGET_CMDS
> > -     $(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(TARGET_DIR) install
> > +     $(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(TARGET_DIR) \
> > +             $(REFPOLICY_EXTRA_MAKE_INSTALL_TARGETS) install
> 
> That being said, I'm not clear between what the "policy" make target
> does (invoked in BUILD_CMDS) and what the "enableaudit" make target
> does.

The 'policy' target generates a policy.conf file (among other things)
and 'enableaudit' removes lines from this file. While 'enableaudit'
seems like a configuration step, it is in fact a fixup one.

Maybe a POST_BUILD_HOOK would be better for that?

On a side note, there is no dependency between 'enableaudit' and
'install'. The above change only works because REFPOLICY_MAKE uses
MAKE1. (We have the same construct in the configuration step).

Antoine

^ permalink raw reply	[flat|nested] 4+ messages in thread

* [Buildroot] [PATCH] package/refpolicy: Add option to disable "dontaudit" rules
  2021-01-27 10:34   ` Antoine Tenart
@ 2021-01-27 14:40     ` Maxime Chevallier
  0 siblings, 0 replies; 4+ messages in thread
From: Maxime Chevallier @ 2021-01-27 14:40 UTC (permalink / raw)
  To: buildroot

Hi Antoine, Thomas,

Thanks for the reviews !

On Wed, 27 Jan 2021 11:34:35 +0100
Antoine Tenart <atenart@kernel.org> wrote:

>Quoting Thomas Petazzoni (2021-01-27 11:01:48)
>> On Wed, 27 Jan 2021 10:56:27 +0100
>> Maxime Chevallier <maxime.chevallier@bootlin.com> wrote:
>>   
>> >  define REFPOLICY_INSTALL_TARGET_CMDS
>> > -     $(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(TARGET_DIR) install
>> > +     $(REFPOLICY_MAKE) -C $(@D) DESTDIR=$(TARGET_DIR) \
>> > +             $(REFPOLICY_EXTRA_MAKE_INSTALL_TARGETS) install  
>> 
>> That being said, I'm not clear between what the "policy" make target
>> does (invoked in BUILD_CMDS) and what the "enableaudit" make target
>> does.  
>
>The 'policy' target generates a policy.conf file (among other things)
>and 'enableaudit' removes lines from this file. While 'enableaudit'
>seems like a configuration step, it is in fact a fixup one.
>
>Maybe a POST_BUILD_HOOK would be better for that?

You're correct, it seems to be a better way to go, I'll send a v2 with
that solution :)

Thanks,

Maxime

>On a side note, there is no dependency between 'enableaudit' and
>'install'. The above change only works because REFPOLICY_MAKE uses
>MAKE1. (We have the same construct in the configuration step).
>
>Antoine



-- 
Maxime Chevallier, Bootlin
Embedded Linux and kernel engineering
https://bootlin.com

^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2021-01-27 14:40 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2021-01-27  9:56 [Buildroot] [PATCH] package/refpolicy: Add option to disable "dontaudit" rules Maxime Chevallier
2021-01-27 10:01 ` Thomas Petazzoni
2021-01-27 10:34   ` Antoine Tenart
2021-01-27 14:40     ` Maxime Chevallier

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.