From ee984e116a83dedf1fae4e680369943ea2a53153 Mon Sep 17 00:00:00 2001 From: Fiona Klute Date: Thu, 9 Oct 2025 16:32:16 +0200 Subject: [PATCH] package/refpolicy: add config option for "enableaudit" SELinux policies commonly contain "dontaudit" rules, which omit certain denied actions from the audit logs to keep the log volume manageable. When investigating issues this can become a problem in itself because messages that could show the cause might be hidden. The common advice is to use "semodule -DB" to temporarily disable the dontaudit rules, but this is only possible with a modular policy, while package/refpolicy builds a monolithic policy. Instead, the Rules.monolithic makefile offers the "enableaudit" target, which removes any dontaudit rules before compiling the policy. This patch adds a config option to run the enableaudit target during the configure stage, intended for debug builds. Signed-off-by: Fiona Klute [Julien: remove unneeded "default n" in Config.in] Signed-off-by: Julien Olivain --- package/refpolicy/Config.in | 12 ++++++++++++ package/refpolicy/refpolicy.mk | 7 +++++++ 2 files changed, 19 insertions(+) diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in index 7aea39b223..242d7f34e0 100644 --- a/package/refpolicy/Config.in +++ b/package/refpolicy/Config.in @@ -121,6 +121,18 @@ config BR2_REFPOLICY_EXTRA_MODULES endif +config BR2_REFPOLICY_ENABLEAUDIT + bool "remove dontaudit rules from policy (debugging only)" + help + Remove dontaudit rules from policy.conf before compiling the + policy. This can be useful for debugging to see "denied" + audit log messages that would otherwise be hidden, which + show the cause of problems. + + Warning: This option will likely produce a high rate of + audit log messages, and should be enabled only for + debugging. + endif comment "refpolicy needs a toolchain w/ threads, gcc >= 5, host gcc >= 5" diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk index be27147ec5..127faf793a 100644 --- a/package/refpolicy/refpolicy.mk +++ b/package/refpolicy/refpolicy.mk @@ -101,6 +101,12 @@ define REFPOLICY_CONFIGURE_SYSTEMD endef endif +ifeq ($(BR2_REFPOLICY_ENABLEAUDIT),y) +define REFPOLICY_CONFIGURE_ENABLEAUDIT + $(REFPOLICY_MAKE) -C $(@D) enableaudit +endef +endif + define REFPOLICY_CONFIGURE_CMDS $(SED) "/OUTPUT_POLICY/c\OUTPUT_POLICY = $(REFPOLICY_POLICY_VERSION)" \ $(@D)/build.conf @@ -111,6 +117,7 @@ define REFPOLICY_CONFIGURE_CMDS $(REFPOLICY_COPY_EXTRA_MODULES) ) $(REFPOLICY_MAKE) -C $(@D) bare conf + $(REFPOLICY_CONFIGURE_ENABLEAUDIT) $(REFPOLICY_CONFIGURE_MODULES) endef