package/refpolicy: add config option for "enableaudit"
SELinux policies commonly contain "dontaudit" rules, which omit certain denied actions from the audit logs to keep the log volume manageable. When investigating issues this can become a problem in itself because messages that could show the cause might be hidden. The common advice is to use "semodule -DB" to temporarily disable the dontaudit rules, but this is only possible with a modular policy, while package/refpolicy builds a monolithic policy. Instead, the Rules.monolithic makefile offers the "enableaudit" target, which removes any dontaudit rules before compiling the policy. This patch adds a config option to run the enableaudit target during the configure stage, intended for debug builds. Signed-off-by: Fiona Klute <fiona.klute@gmx.de> [Julien: remove unneeded "default n" in Config.in] Signed-off-by: Julien Olivain <ju.o@free.fr>
This commit is contained in:
Fiona Klute
committed by
Julien Olivain
Julien Olivain
parent
b9d3a0418b
commit
ee984e116a
@@ -121,6 +121,18 @@ config BR2_REFPOLICY_EXTRA_MODULES
|
|||||||
|
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
config BR2_REFPOLICY_ENABLEAUDIT
|
||||||
|
bool "remove dontaudit rules from policy (debugging only)"
|
||||||
|
help
|
||||||
|
Remove dontaudit rules from policy.conf before compiling the
|
||||||
|
policy. This can be useful for debugging to see "denied"
|
||||||
|
audit log messages that would otherwise be hidden, which
|
||||||
|
show the cause of problems.
|
||||||
|
|
||||||
|
Warning: This option will likely produce a high rate of
|
||||||
|
audit log messages, and should be enabled only for
|
||||||
|
debugging.
|
||||||
|
|
||||||
endif
|
endif
|
||||||
|
|
||||||
comment "refpolicy needs a toolchain w/ threads, gcc >= 5, host gcc >= 5"
|
comment "refpolicy needs a toolchain w/ threads, gcc >= 5, host gcc >= 5"
|
||||||
|
|||||||
@@ -101,6 +101,12 @@ define REFPOLICY_CONFIGURE_SYSTEMD
|
|||||||
endef
|
endef
|
||||||
endif
|
endif
|
||||||
|
|
||||||
|
ifeq ($(BR2_REFPOLICY_ENABLEAUDIT),y)
|
||||||
|
define REFPOLICY_CONFIGURE_ENABLEAUDIT
|
||||||
|
$(REFPOLICY_MAKE) -C $(@D) enableaudit
|
||||||
|
endef
|
||||||
|
endif
|
||||||
|
|
||||||
define REFPOLICY_CONFIGURE_CMDS
|
define REFPOLICY_CONFIGURE_CMDS
|
||||||
$(SED) "/OUTPUT_POLICY/c\OUTPUT_POLICY = $(REFPOLICY_POLICY_VERSION)" \
|
$(SED) "/OUTPUT_POLICY/c\OUTPUT_POLICY = $(REFPOLICY_POLICY_VERSION)" \
|
||||||
$(@D)/build.conf
|
$(@D)/build.conf
|
||||||
@@ -111,6 +117,7 @@ define REFPOLICY_CONFIGURE_CMDS
|
|||||||
$(REFPOLICY_COPY_EXTRA_MODULES)
|
$(REFPOLICY_COPY_EXTRA_MODULES)
|
||||||
)
|
)
|
||||||
$(REFPOLICY_MAKE) -C $(@D) bare conf
|
$(REFPOLICY_MAKE) -C $(@D) bare conf
|
||||||
|
$(REFPOLICY_CONFIGURE_ENABLEAUDIT)
|
||||||
$(REFPOLICY_CONFIGURE_MODULES)
|
$(REFPOLICY_CONFIGURE_MODULES)
|
||||||
endef
|
endef
|
||||||
|
|
||||||
|
|||||||
Reference in New Issue
Block a user