Projetos/rpi-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/refpolicy: add config option for "enableaudit"

Browse Source 
SELinux policies commonly contain "dontaudit" rules, which omit
certain denied actions from the audit logs to keep the log volume
manageable. When investigating issues this can become a problem in
itself because messages that could show the cause might be hidden.

The common advice is to use "semodule -DB" to temporarily disable the
dontaudit rules, but this is only possible with a modular policy,
while package/refpolicy builds a monolithic policy. Instead, the
Rules.monolithic makefile offers the "enableaudit" target, which
removes any dontaudit rules before compiling the policy.

This patch adds a config option to run the enableaudit target during
the configure stage, intended for debug builds.

Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
[Julien: remove unneeded "default n" in Config.in]
Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit is contained in:
Fiona Klute
2025-10-09 16:32:16 +02:00
committed by Julien Olivain
parent b9d3a0418b
commit ee984e116a
2 changed files with 19 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
package/refpolicy/Config.in
View File

@@ -121,6 +121,18 @@ config BR2_REFPOLICY_EXTRA_MODULES
endif
config BR2_REFPOLICY_ENABLEAUDIT
bool "remove dontaudit rules from policy (debugging only)"
help
Remove dontaudit rules from policy.conf before compiling the
policy. This can be useful for debugging to see "denied"
audit log messages that would otherwise be hidden, which
show the cause of problems.
Warning: This option will likely produce a high rate of
audit log messages, and should be enabled only for
debugging.
endif
comment "refpolicy needs a toolchain w/ threads, gcc >= 5, host gcc >= 5"

7
package/refpolicy/refpolicy.mk
View File

@@ -101,6 +101,12 @@ define REFPOLICY_CONFIGURE_SYSTEMD
endef
endif
ifeq ($(BR2_REFPOLICY_ENABLEAUDIT),y)
define REFPOLICY_CONFIGURE_ENABLEAUDIT
$(REFPOLICY_MAKE) -C $(@D) enableaudit
endef
endif
define REFPOLICY_CONFIGURE_CMDS
$(SED) "/OUTPUT_POLICY/c\OUTPUT_POLICY = $(REFPOLICY_POLICY_VERSION)" \
$(@D)/build.conf
@@ -111,6 +117,7 @@ define REFPOLICY_CONFIGURE_CMDS
$(REFPOLICY_COPY_EXTRA_MODULES)
)
$(REFPOLICY_MAKE) -C $(@D) bare conf
$(REFPOLICY_CONFIGURE_ENABLEAUDIT)
$(REFPOLICY_CONFIGURE_MODULES)
endef