From: Arnaldo Carvalho de Melo <arnaldo.melo@gmail.com>
To: Alexey Budankov <alexey.budankov@linux.intel.com>
Cc: Arnaldo Carvalho de Melo <arnaldo.melo@gmail.com>,
Jiri Olsa <jolsa@redhat.com>, Namhyung Kim <namhyung@kernel.org>,
Alexander Shishkin <alexander.shishkin@linux.intel.com>,
Peter Zijlstra <peterz@infradead.org>,
Ingo Molnar <mingo@redhat.com>, Andi Kleen <ak@linux.intel.com>,
linux-kernel <linux-kernel@vger.kernel.org>,
"selinux@vger.kernel.org" <selinux@vger.kernel.org>,
"linux-security-module@vger.kernel.org"
<linux-security-module@vger.kernel.org>
Subject: Re: [PATCH v1] perf tool: make Perf tool aware of SELinux access control
Date: Fri, 20 Mar 2020 10:48:22 -0300 [thread overview]
Message-ID: <20200320134822.GA29833@kernel.org> (raw)
In-Reply-To: <d521a22d-9fa7-1bca-fa60-f23b55953c91@linux.intel.com>
Em Fri, Mar 20, 2020 at 03:24:47PM +0300, Alexey Budankov escreveu:
>
> On 19.03.2020 22:05, Arnaldo Carvalho de Melo wrote:
> > Em Thu, Mar 19, 2020 at 04:01:26PM -0300, Arnaldo Carvalho de Melo escreveu:
> <SNIP>
> >
> > So I'll try the steps below with/without your patch, and then... what
> > are the steps that a tester needs to go thru to have that refpolicy in?
> > Install some new SELinux package or library, spelling out in detail the
> > steps one needs to go thru helps reviewing/testing,
>
> Yes, sure. Steps to extend FC31 Targeted policy for testing perf_events access control:
Thanks a lot! This is the level of detail I was talking about, good job!
- Arnaldo
> * download selinux-policy srpm [1]: selinux-policy-3.14.4-48.fc31.src.rpm on my FC31
>
> * install srpm - it creates rpmbuild dir:
> [root@host ~]# rpm -Uhv selinux-policy-3.14.4-48.fc31.src.rpm
>
> * get into rpmbuild/SPECS dir and unpack sources:
> [root@host ~]# rpmbuild -bp selinux-policy.spec
>
> * Place patch below at rpmbuild/BUILD/selinux-policy-b86eaaf4dbcf2d51dd4432df7185c0eaf3cbcc02
> dir and apply it:
> [root@host ~]# patch -p1 < selinux-policy-perf-events-perfmon.patch
> patching file policy/flask/access_vectors
> patching file policy/flask/security_classes
> [root@host ~]# cat selinux-policy-perf-events-perfmon.patch
> diff -Nura a/policy/flask/access_vectors b/policy/flask/access_vectors
> --- a/policy/flask/access_vectors 2020-02-04 18:19:53.000000000 +0300
> +++ b/policy/flask/access_vectors 2020-02-28 23:37:25.000000000 +0300
> @@ -174,6 +174,7 @@
> wake_alarm
> block_suspend
> audit_read
> + perfmon
> }
>
> #
> @@ -1099,3 +1100,15 @@
>
> class xdp_socket
> inherits socket
> +
> +class perf_event
> +{
> + open
> + cpu
> + kernel
> + tracepoint
> + read
> + write
> +}
> +
> +
> diff -Nura a/policy/flask/security_classes b/policy/flask/security_classes
> --- a/policy/flask/security_classes 2020-02-04 18:19:53.000000000 +0300
> +++ b/policy/flask/security_classes 2020-02-28 21:35:17.000000000 +0300
> @@ -200,4 +200,6 @@
>
> class xdp_socket
>
> +class perf_event
> +
> # FLASK
>
> [root@host ~]#
>
> * get into rpmbuild/SPECS dir and build policy packages from patched sources:
> [root@host ~]# rpmbuild --noclean --noprep -ba selinux-policy.spec
> so you have this:
> [root@host ~]# ls -alh rpmbuild/RPMS/noarch/
> total 33M
> drwxr-xr-x. 2 root root 4.0K Mar 20 12:16 .
> drwxr-xr-x. 3 root root 4.0K Mar 20 12:16 ..
> -rw-r--r--. 1 root root 112K Mar 20 12:16 selinux-policy-3.14.4-48.fc31.noarch.rpm
> -rw-r--r--. 1 root root 1.2M Mar 20 12:17 selinux-policy-devel-3.14.4-48.fc31.noarch.rpm
> -rw-r--r--. 1 root root 2.3M Mar 20 12:17 selinux-policy-doc-3.14.4-48.fc31.noarch.rpm
> -rw-r--r--. 1 root root 12M Mar 20 12:17 selinux-policy-minimum-3.14.4-48.fc31.noarch.rpm
> -rw-r--r--. 1 root root 4.5M Mar 20 12:16 selinux-policy-mls-3.14.4-48.fc31.noarch.rpm
> -rw-r--r--. 1 root root 111K Mar 20 12:16 selinux-policy-sandbox-3.14.4-48.fc31.noarch.rpm
> -rw-r--r--. 1 root root 14M Mar 20 12:17 selinux-policy-targeted-3.14.4-48.fc31.noarch.rpm
>
> * install SELinux packages from FC repo [2], if not already done so, and
> update with the patched rpms above:
> [root@host ~]# rpm -Uhv rpmbuild/RPMS/noarch/selinux-policy-*
>
> * there are also packages providing GUI interface and visualizing SELinux management
> [root@host ~]# dnf install policycoreutils-gui
>
> * enable SELinux Permissive mode for Targeted policy, if not already done so:
> [root@host ~]# cat /etc/selinux/config
> # This file controls the state of SELinux on the system.
> # SELINUX= can take one of these three values:
> # enforcing - SELinux security policy is enforced.
> # permissive - SELinux prints warnings instead of enforcing.
> # disabled - No SELinux policy is loaded.
> SELINUX=permissive
> # SELINUXTYPE= can take one of these three values:
> # targeted - Targeted processes are protected,
> # minimum - Modification of targeted policy. Only selected processes are protected.
> # mls - Multi Level Security protection.
> SELINUXTYPE=targeted
>
> * enable filesystem SELinux labeling at the next reboot
> [root@host ~]# touch /.autorelabel
>
> * reboot machine and it will label filesystems and load Targeted policy into the kernel
>
> * login and check that dmesg output doesn't mention that perf_event class is unknown to SELinux subsystem
>
> * check that SELinux is enabled and in Permissive mode
> [root@host ~]# getenforce
> Permissive
>
> * turn SELinux into Enforcing mode:
> [root@host ~]# setenforce 1
> [root@host ~]# getenforce
> Enforcing
>
> * Now the machine is enabled to test the patch
>
> --- If something went wrong ---
>
> * To turn SELinux into Permissive mode: setenforce 0
> * To fully disable SELinux during kernel boot [3] set kernel command line parameter: selinux=0
> * To remove SELinux labeling from local filesystems: find / -mount -print0 | xargs -0 setfattr -h -x security.selinux
> * To fully turn SELinux off a machine set SELINUX=disabled at /etc/selinux/config file and reboot
>
> ~Alexey
>
> [1] https://download-ib01.fedoraproject.org/pub/fedora/linux/updates/31/Everything/SRPMS/Packages/s/selinux-policy-3.14.4-49.fc31.src.rpm
> [2] https://docs.fedoraproject.org/en-US/Fedora/11/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html
> [3] https://danwalsh.livejournal.com/10972.html
>
--
- Arnaldo
prev parent reply other threads:[~2020-03-20 13:48 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2020-03-13 17:27 [PATCH v1] perf tool: make Perf tool aware of SELinux access control Alexey Budankov
2020-03-19 6:23 ` Alexey Budankov
2020-03-19 19:01 ` Arnaldo Carvalho de Melo
2020-03-19 19:05 ` Arnaldo Carvalho de Melo
2020-03-20 12:24 ` Alexey Budankov
2020-03-20 13:48 ` Arnaldo Carvalho de Melo [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20200320134822.GA29833@kernel.org \
--to=arnaldo.melo@gmail.com \
--cc=ak@linux.intel.com \
--cc=alexander.shishkin@linux.intel.com \
--cc=alexey.budankov@linux.intel.com \
--cc=jolsa@redhat.com \
--cc=linux-kernel@vger.kernel.org \
--cc=linux-security-module@vger.kernel.org \
--cc=mingo@redhat.com \
--cc=namhyung@kernel.org \
--cc=peterz@infradead.org \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.