From: Arnaldo Carvalho de Melo <arnaldo.melo@gmail.com>
To: Alexey Budankov <alexey.budankov@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <arnaldo.melo@gmail.com>,
Jiri Olsa <jolsa@redhat.com>, Namhyung Kim <namhyung@kernel.org>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@redhat.com>, Andi Kleen <ak@linux.intel.com>,
linux-kernel <linux-kernel@vger.kernel.org>,
"selinux@vger.kernel.org" <selinux@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>
Subject: Re: [PATCH v1] perf tool: make Perf tool aware of SELinux access control
Date: Fri, 20 Mar 2020 10:48:22 -0300 [thread overview]
Message-ID: <20200320134822.GA29833@kernel.org> (raw)
In-Reply-To: <d521a22d-9fa7-1bca-fa60-f23b55953c91@linux.intel.com>
Em Fri, Mar 20, 2020 at 03:24:47PM +0300, Alexey Budankov escreveu:
>
> On 19.03.2020 22:05, Arnaldo Carvalho de Melo wrote:
> > Em Thu, Mar 19, 2020 at 04:01:26PM -0300, Arnaldo Carvalho de Melo escreveu:
> <SNIP>
> >
> > So I'll try the steps below with/without your patch, and then... what
> > are the steps that a tester needs to go thru to have that refpolicy in?
> > Install some new SELinux package or library, spelling out in detail the
> > steps one needs to go thru helps reviewing/testing,
>
> Yes, sure. Steps to extend FC31 Targeted policy for testing perf_events access control:
Thanks a lot! This is the level of detail I was talking about, good job!
- Arnaldo
> * download selinux-policy srpm [1]: selinux-policy-3.14.4-48.fc31.src.rpm on my FC31
>
> * install srpm - it creates rpmbuild dir:
> [root@host ~]# rpm -Uhv selinux-policy-3.14.4-48.fc31.src.rpm
>
> * get into rpmbuild/SPECS dir and unpack sources:
> [root@host ~]# rpmbuild -bp selinux-policy.spec
>
> * Place patch below at rpmbuild/BUILD/selinux-policy-b86eaaf4dbcf2d51dd4432df7185c0eaf3cbcc02
> dir and apply it:
> [root@host ~]# patch -p1 < selinux-policy-perf-events-perfmon.patch
> patching file policy/flask/access_vectors
> patching file policy/flask/security_classes
> [root@host ~]# cat selinux-policy-perf-events-perfmon.patch
> diff -Nura a/policy/flask/access_vectors b/policy/flask/access_vectors
> --- a/policy/flask/access_vectors 2020-02-04 18:19:53.000000000 +0300
> +++ b/policy/flask/access_vectors 2020-02-28 23:37:25.000000000 +0300
> @@ -174,6 +174,7 @@
> wake_alarm
> block_suspend
> audit_read
> + perfmon
> }
>
> #
> @@ -1099,3 +1100,15 @@
>
> class xdp_socket
> inherits socket
> +
> +class perf_event
> +{
> + open
> + cpu
> + kernel
> + tracepoint
> + read
> + write
> +}
> +
> +
> diff -Nura a/policy/flask/security_classes b/policy/flask/security_classes
> --- a/policy/flask/security_classes 2020-02-04 18:19:53.000000000 +0300
> +++ b/policy/flask/security_classes 2020-02-28 21:35:17.000000000 +0300
> @@ -200,4 +200,6 @@
>
> class xdp_socket
>
> +class perf_event
> +
> # FLASK
>
> [root@host ~]#
>
> * get into rpmbuild/SPECS dir and build policy packages from patched sources:
> [root@host ~]# rpmbuild --noclean --noprep -ba selinux-policy.spec
> so you have this:
> [root@host ~]# ls -alh rpmbuild/RPMS/noarch/
> total 33M
> drwxr-xr-x. 2 root root 4.0K Mar 20 12:16 .
> drwxr-xr-x. 3 root root 4.0K Mar 20 12:16 ..
> -rw-r--r--. 1 root root 112K Mar 20 12:16 selinux-policy-3.14.4-48.fc31.noarch.rpm
> -rw-r--r--. 1 root root 1.2M Mar 20 12:17 selinux-policy-devel-3.14.4-48.fc31.noarch.rpm
> -rw-r--r--. 1 root root 2.3M Mar 20 12:17 selinux-policy-doc-3.14.4-48.fc31.noarch.rpm
> -rw-r--r--. 1 root root 12M Mar 20 12:17 selinux-policy-minimum-3.14.4-48.fc31.noarch.rpm
> -rw-r--r--. 1 root root 4.5M Mar 20 12:16 selinux-policy-mls-3.14.4-48.fc31.noarch.rpm
> -rw-r--r--. 1 root root 111K Mar 20 12:16 selinux-policy-sandbox-3.14.4-48.fc31.noarch.rpm
> -rw-r--r--. 1 root root 14M Mar 20 12:17 selinux-policy-targeted-3.14.4-48.fc31.noarch.rpm
>
> * install SELinux packages from FC repo [2], if not already done so, and
> update with the patched rpms above:
> [root@host ~]# rpm -Uhv rpmbuild/RPMS/noarch/selinux-policy-*
>
> * there are also packages providing GUI interface and visualizing SELinux management
> [root@host ~]# dnf install policycoreutils-gui
>
> * enable SELinux Permissive mode for Targeted policy, if not already done so:
> [root@host ~]# cat /etc/selinux/config
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> # enforcing - SELinux security policy is enforced.
> # permissive - SELinux prints warnings instead of enforcing.
> # disabled - No SELinux policy is loaded.
> SELINUX=permissive
> # SELINUXTYPE= can take one of these three values:
> # targeted - Targeted processes are protected,
> # minimum - Modification of targeted policy. Only selected processes are protected.
> # mls - Multi Level Security protection.
> SELINUXTYPE=targeted
>
> * enable filesystem SELinux labeling at the next reboot
> [root@host ~]# touch /.autorelabel
>
> * reboot machine and it will label filesystems and load Targeted policy into the kernel
>
> * login and check that dmesg output doesn't mention that perf_event class is unknown to SELinux subsystem
>
> * check that SELinux is enabled and in Permissive mode
> [root@host ~]# getenforce
> Permissive
>
> * turn SELinux into Enforcing mode:
> [root@host ~]# setenforce 1
> [root@host ~]# getenforce
> Enforcing
>
> * Now the machine is enabled to test the patch
>
> --- If something went wrong ---
>
> * To turn SELinux into Permissive mode: setenforce 0
> * To fully disable SELinux during kernel boot [3] set kernel command line parameter: selinux=0
> * To remove SELinux labeling from local filesystems: find / -mount -print0 | xargs -0 setfattr -h -x security.selinux
> * To fully turn SELinux off a machine set SELINUX=disabled at /etc/selinux/config file and reboot
>
> ~Alexey
>
> [1] https://download-ib01.fedoraproject.org/pub/fedora/linux/updates/31/Everything/SRPMS/Packages/s/selinux-policy-3.14.4-49.fc31.src.rpm
> [2] https://docs.fedoraproject.org/en-US/Fedora/11/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html
> [3] https://danwalsh.livejournal.com/10972.html
>
--
- Arnaldo
prev parent reply other threads:[~2020-03-20 13:48 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-13 17:27 [PATCH v1] perf tool: make Perf tool aware of SELinux access control Alexey Budankov
2020-03-19 6:23 ` Alexey Budankov
2020-03-19 19:01 ` Arnaldo Carvalho de Melo
2020-03-19 19:05 ` Arnaldo Carvalho de Melo
2020-03-20 12:24 ` Alexey Budankov
2020-03-20 13:48 ` Arnaldo Carvalho de Melo [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200320134822.GA29833@kernel.org \
--to=arnaldo.melo@gmail.com \
--cc=ak@linux.intel.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=alexey.budankov@linux.intel.com \
--cc=jolsa@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=namhyung@kernel.org \
--cc=peterz@infradead.org \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).