[Buildroot] [PATCH v3] package/refpolicy: Add option to disable "dontaudit" rules

Giulio Benetti giulio.benetti at benettiengineering.com
Mon Jan 24 09:20:59 UTC 2022 

> Il giorno 24 gen 2022, alle ore 10:07, Antoine Tenart <atenart at kernel.org> ha scritto:
> 
> Quoting Giulio Benetti (2022-01-24 09:59:45)
>> 
>>>> Il giorno 24 gen 2022, alle ore 09:45, Antoine Tenart <atenart at kernel.org> ha scritto:
>>> 
>>> Quoting Giulio Benetti (2022-01-23 23:21:50)
>>>> 
>>>> Re-reading this after some day it looks to me like the simple
>>>> BR2_PACKAGE_REFPOLICY_ENABLEAUDIT is correct. Because it "Removes all 
>>>> dontaudit rules from policy.conf", so it's true that it enables audit 
>>>> logs in the end. It's a very specific options and the one who will use 
>>>> it will know what he will enable and most of all we can specify in the 
>>>> help section that:
>>>> "Removes all dontaudit rules from policy.conf"
>>> 
>>>> Does it work for you?
>>> 
>>> As long as the help text is clear enough for the user, either config
>>> option name should be acceptable. Using the above is good to have an 1:1
>>> mapping with the target name, at the expense of having the help text not
>>> matching it and an unclear option name from the user perspective (it's a
>>> bit weird not to enable it, at first). For _WITH_DONTAUDIT_, the
>>> opposite is true. I'd say there is no perfect solution, we can either
>>> stay close to the refpolicy internals or have the Buildroot specifics
>>> more consistent; not sure which is better.
>> 
>> I’d go for Buildroot consistency since we’re in Buildroot.
> 
> So _WITH_DONTAUDIT_?
> 
>> If someone enables refpolicy package and enables “Enable audit”, I
>> expect to see audit log. Right?
> 
> Extra audit log*

Aaah, here is the point ^^^.

> 
> It's not about enabling audit logs, it's about having some known rules
> to not be silenced in the audit logs as they're known to be problematic.

Ok, Thanks for the explanation.

> 
>> This is me at least that I’ve never used refpolicy so I’m agnostic in
>> the topic, so maybe a neutral “use case“ :-)
> 
> I don't really have a preference for either solution tbh.

Then I’d go for:
BR2_PACKAGE_REFPOLICY_ENABLE_EXTRA_AUDIT_LOG

“Enable extra audit log”

And in the help section I specify all the warnings.
Defaulted to n.

This way it’s pretty clear to me that I approach the package for the first time. And most of all it’s what it does as you’ve explained me above.

Well. I try to respin it this way. Will I receive a Reviewed-by: you then? :-)

Best regards
Giulio

> 
> Antoine

More information about the buildroot mailing list