From: jeffxu@chromium.org
To: selinux@vger.kernel.org
Cc: linux-security-module@vger.kernel.org, jorgelo@chromium.org,
groeck@chromium.org, Jeff Xu <jeffxu@chromium.org>,
Luis Hector Chavez <lhchavez@google.com>,
Luis Hector Chavez <lhchavez@chromium.org>
Subject: [PATCH 1/1] Add CONFIG_SECURITY_SELINUX_PERMISSIVE_DONTAUDIT
Date: Wed, 21 Sep 2022 18:54:26 +0000 [thread overview]
Message-ID: <20220921185426.1663357-2-jeffxu@chromium.org> (raw)
In-Reply-To: <20220921185426.1663357-1-jeffxu@chromium.org>
From: Jeff Xu <jeffxu@chromium.org>
When SECURITY_SELINUX_DEVELOP=y and the system is running in permissive
mode, it is useful to disable logging from permissive domain, so audit
log does not get spamed.
Signed-off-by: Jeff Xu <jeffxu@chromium.org>
Signed-off-by: Luis Hector Chavez <lhchavez@google.com>
Tested-by: Luis Hector Chavez <lhchavez@chromium.org>
Tested-by: Jeff Xu<jeffxu@chromium.org>
---
security/selinux/Kconfig | 10 ++++++++++
security/selinux/avc.c | 9 +++++++++
2 files changed, 19 insertions(+)
diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index 9e921fc72538..99b8b88abc3d 100644
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -61,6 +61,16 @@ config SECURITY_SELINUX_DEVELOP
permissive mode (if permitted by the policy) via
/sys/fs/selinux/enforce.
+config SECURITY_SELINUX_PERMISSIVE_DONTAUDIT
+ bool "NSA SELinux don't audit permissive"
+ depends on SECURITY_SELINUX
+ default n
+ help
+ This prevents logging when permissive=1. If unsure, say N. With
+ this option enabled, any avc logs that would occur on a permissive
+ domain won't be logged. This can prevent a significant amount of
+ logspam.
+
config SECURITY_SELINUX_AVC_STATS
bool "NSA SELinux AVC Statistics"
depends on SECURITY_SELINUX
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 9a43af0ebd7d..2f0a49d7c714 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -777,6 +777,15 @@ noinline int slow_avc_audit(struct selinux_state *state,
if (WARN_ON(!tclass || tclass >= ARRAY_SIZE(secclass_map)))
return -EINVAL;
+ /*
+ * Avoid logging permissive=1 messages for
+ * SECURITY_SELINUX_PERMISSIVE_DONTAUDIT.
+ */
+ if (IS_ENABLED(CONFIG_SECURITY_SELINUX_PERMISSIVE_DONTAUDIT) && denied
+ && !result) {
+ return 0;
+ }
+
if (!a) {
a = &stack_data;
a->type = LSM_AUDIT_DATA_NONE;
--
2.37.3.968.ga6b4b080e4-goog
next prev parent reply other threads:[~2022-09-21 18:54 UTC|newest]
Thread overview: 15+ messages / expand[flat|nested] mbox.gz Atom feed top
2022-09-21 18:54 [PATCH 0/1] Add CONFIG_SECURITY_SELINUX_PERMISSIVE_DONTAUDIT jeffxu
2022-09-21 18:54 ` jeffxu [this message]
2022-09-21 19:11 ` [PATCH 1/1] " Paul Moore
2022-09-23 17:43 ` Jeff Xu
2022-09-23 18:04 ` Paul Moore
2022-09-23 18:45 ` Dominick Grift
2022-09-26 18:03 ` Jeff Xu
2022-09-26 21:40 ` Paul Moore
2022-09-28 16:49 ` Jeff Xu
2023-02-13 5:44 ` Jeff Xu
2023-02-13 7:39 ` Dominick Grift
2023-02-17 15:22 ` Stephen Smalley
2023-02-17 15:25 ` Stephen Smalley
2023-03-10 0:32 ` Jeff Xu
2022-09-21 19:10 ` [PATCH 0/1] " Casey Schaufler
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20220921185426.1663357-2-jeffxu@chromium.org \
--to=jeffxu@chromium.org \
--cc=groeck@chromium.org \
--cc=jorgelo@chromium.org \
--cc=lhchavez@chromium.org \
--cc=lhchavez@google.com \
--cc=linux-security-module@vger.kernel.org \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).