[Buildroot] [git commit] package/refpolicy: add config option for "enableaudit"

[Julien Olivain]

commit: https://git.buildroot.net/buildroot/commit/?id=ee984e116a83dedf1fae4e680369943ea2a53153
branch: https://git.buildroot.net/buildroot/commit/?id=refs/heads/master

SELinux policies commonly contain "dontaudit" rules, which omit
certain denied actions from the audit logs to keep the log volume
manageable. When investigating issues this can become a problem in
itself because messages that could show the cause might be hidden.

The common advice is to use "semodule -DB" to temporarily disable the
dontaudit rules, but this is only possible with a modular policy,
while package/refpolicy builds a monolithic policy. Instead, the
Rules.monolithic makefile offers the "enableaudit" target, which
removes any dontaudit rules before compiling the policy.

This patch adds a config option to run the enableaudit target during
the configure stage, intended for debug builds.

Signed-off-by: Fiona Klute <fiona.klute at gmx.de>
[Julien: remove unneeded "default n" in Config.in]
Signed-off-by: Julien Olivain <ju.o at free.fr>
---
 package/refpolicy/Config.in    | 12 ++++++++++++
 package/refpolicy/refpolicy.mk |  7 +++++++
 2 files changed, 19 insertions(+)

diff --git a/package/refpolicy/Config.in b/package/refpolicy/Config.in
index 7aea39b223..242d7f34e0 100644
--- a/package/refpolicy/Config.in
+++ b/package/refpolicy/Config.in
@@ -121,6 +121,18 @@ config BR2_REFPOLICY_EXTRA_MODULES
 
 endif
 
+config BR2_REFPOLICY_ENABLEAUDIT
+	bool "remove dontaudit rules from policy (debugging only)"
+	help
+	  Remove dontaudit rules from policy.conf before compiling the
+	  policy. This can be useful for debugging to see "denied"
+	  audit log messages that would otherwise be hidden, which
+	  show the cause of problems.
+
+	  Warning: This option will likely produce a high rate of
+	  audit log messages, and should be enabled only for
+	  debugging.
+
 endif
 
 comment "refpolicy needs a toolchain w/ threads, gcc >= 5, host gcc >= 5"
diff --git a/package/refpolicy/refpolicy.mk b/package/refpolicy/refpolicy.mk
index be27147ec5..127faf793a 100644
--- a/package/refpolicy/refpolicy.mk
+++ b/package/refpolicy/refpolicy.mk
@@ -101,6 +101,12 @@ define REFPOLICY_CONFIGURE_SYSTEMD
 endef
 endif
 
+ifeq ($(BR2_REFPOLICY_ENABLEAUDIT),y)
+define REFPOLICY_CONFIGURE_ENABLEAUDIT
+	$(REFPOLICY_MAKE) -C $(@D) enableaudit
+endef
+endif
+
 define REFPOLICY_CONFIGURE_CMDS
 	$(SED) "/OUTPUT_POLICY/c\OUTPUT_POLICY = $(REFPOLICY_POLICY_VERSION)" \
 		$(@D)/build.conf
@@ -111,6 +117,7 @@ define REFPOLICY_CONFIGURE_CMDS
 		$(REFPOLICY_COPY_EXTRA_MODULES)
 	)
 	$(REFPOLICY_MAKE) -C $(@D) bare conf
+	$(REFPOLICY_CONFIGURE_ENABLEAUDIT)
 	$(REFPOLICY_CONFIGURE_MODULES)
 endef