On 10/09/2013 08:49 AM, Stephen Smalley wrote:
> On 10/08/2013 11:21 PM, William Roberts wrote:
>> You could change all occurances of allow to auditallow. This will still let
>> the action go through, but log it.
>>
>> You can use sed to make this change.
>
> Not quite right. auditallow doesn't allow anything; it merely enables
> auditing of allowed permissions (i.e. granted messages). You still need
> the allow rule to permit the action.
>
> Also, if you auditallow everything, you will likely DOS the system from
> an audit flood.
>
> AFAIK, the only reason you don't see granted messages in audit.log on
> Android is that we have no auditallow rules in our default policy for
> Android. But you can certainly add them. But don't add them blindly;
> only add them when you want to see every time a particular permission is
> granted.
Just to confirm, with the attached patch for external/sepolicy, I do get
granted messages in audit.log:
type=1400 msg=audit(1381323943.710:3): avc: granted { setenforce } for
pid=1 comm="init" scontext=u:r:kernel:s0 tcontext=u:object_r:kernel:s0
tclass=security
type=1400 msg=audit(1381323945.400:5): avc: granted { load_policy }
for pid=1 comm="init" scontext=u:r:init:s0
tcontext=u:object_r:kernel:s0 tclass=security
This isn't overly useful however as these days the kernel already has
explicit audit events defined for setting enforcing mode and loading
policy, so you already get separate audit messages for those actions:
type=1403 msg=audit(1381323943.710:2): policy loaded auid=4294967295
ses=4294967295
type=1404 msg=audit(1381323943.710:4): enforcing=1 old_enforcing=0
auid=4294967295 ses=4294967295
diff --git a/domain.te b/domain.te
index a303cbe..15cb5da 100644
--- a/domain.te
+++ b/domain.te
@@ -129,3 +129,5 @@ neverallow { domain -init -ueventd -system_server -unconfineddomain } hw_random_
# Ensure that all entrypoint executables are in exec_type.
neverallow domain { file_type -exec_type }:file entrypoint;
+
+auditallow domain kernel:security { load_policy setenforce setbool setsecparam setcheckreqprot };
