Эхлэл Бүгдийг харах Тусламж
Нэвтрэх
PUBLIC_REPOS
/
buildroot
-ын хуулбар git://git.buildroot.net/buildroot
2
1
Салаа 0
Файлууд
Эх сурвалжийг харах

package/refpolicy: add config option for "enableaudit"

SELinux policies commonly contain "dontaudit" rules, which omit
certain denied actions from the audit logs to keep the log volume
manageable. When investigating issues this can become a problem in
itself because messages that could show the cause might be hidden.

The common advice is to use "semodule -DB" to temporarily disable the
dontaudit rules, but this is only possible with a modular policy,
while package/refpolicy builds a monolithic policy. Instead, the
Rules.monolithic makefile offers the "enableaudit" target, which
removes any dontaudit rules before compiling the policy.

This patch adds a config option to run the enableaudit target during
the configure stage, intended for debug builds.

Signed-off-by: Fiona Klute <fiona.klute@gmx.de>
[Julien: remove unneeded "default n" in Config.in]
Signed-off-by: Julien Olivain <ju.o@free.fr>
Fiona Klute 3 сар өмнө
parent
b9d3a0418b
commit
ee984e116a
2 өөрчлөгдсөн 19 нэмэгдсэн , 0 устгасан
Өөрчлөлтийг ялгаж харах Өөрчлөлтийн статистик харах
  1. 12 0
      package/refpolicy/Config.in
  2. 7 0
      package/refpolicy/refpolicy.mk

+ 12 - 0
package/refpolicy/Config.in
Файл харах 

@@ -121,6 +121,18 @@ config BR2_REFPOLICY_EXTRA_MODULES
 
 
 endif
 
 
+config BR2_REFPOLICY_ENABLEAUDIT
 
+	bool "remove dontaudit rules from policy (debugging only)"
 
+	help
 
+	  Remove dontaudit rules from policy.conf before compiling the
 
+	  policy. This can be useful for debugging to see "denied"
 
+	  audit log messages that would otherwise be hidden, which
 
+	  show the cause of problems.
 
+
 
+	  Warning: This option will likely produce a high rate of
 
+	  audit log messages, and should be enabled only for
 
+	  debugging.
 
+
 
 endif
 
 
 comment "refpolicy needs a toolchain w/ threads, gcc >= 5, host gcc >= 5"

+ 7 - 0
package/refpolicy/refpolicy.mk
Файл харах 

@@ -101,6 +101,12 @@ define REFPOLICY_CONFIGURE_SYSTEMD
 
 endef
 
 endif
 
 
+ifeq ($(BR2_REFPOLICY_ENABLEAUDIT),y)
 
+define REFPOLICY_CONFIGURE_ENABLEAUDIT
 
+	$(REFPOLICY_MAKE) -C $(@D) enableaudit
 
+endef
 
+endif
 
+
 
 define REFPOLICY_CONFIGURE_CMDS
 
 	$(SED) "/OUTPUT_POLICY/c\OUTPUT_POLICY = $(REFPOLICY_POLICY_VERSION)" \
 
 		$(@D)/build.conf
 
@@ -111,6 +117,7 @@ define REFPOLICY_CONFIGURE_CMDS
 
 		$(REFPOLICY_COPY_EXTRA_MODULES)
 
 	)
 
 	$(REFPOLICY_MAKE) -C $(@D) bare conf
 
+	$(REFPOLICY_CONFIGURE_ENABLEAUDIT)
 
 	$(REFPOLICY_CONFIGURE_MODULES)
 
 endef