From 4c588568254617db7164da6ef2bb736853922d6f Mon Sep 17 00:00:00 2001 From: Geoff Levand Date: Wed, 23 May 2018 10:08:00 -0700 Subject: [PATCH 1/3] sys-process/audit: Fix Container Linux rules The existing rules were not giving the correct message filter. Fix that and add some comments for users wishing to modify the default rules. Signed-off-by: Geoff Levand --- sys-process/audit/files/audit-rules.tmpfiles | 1 - sys-process/audit/files/rules.d/80-selinux.rules | 4 ---- sys-process/audit/files/rules.d/99-default.rules | 13 +++++++++---- 3 files changed, 9 insertions(+), 9 deletions(-) delete mode 100644 sys-process/audit/files/rules.d/80-selinux.rules diff --git a/sys-process/audit/files/audit-rules.tmpfiles b/sys-process/audit/files/audit-rules.tmpfiles index 2c15b63d23..871083b433 100644 --- a/sys-process/audit/files/audit-rules.tmpfiles +++ b/sys-process/audit/files/audit-rules.tmpfiles @@ -1,5 +1,4 @@ d /etc/audit - - - - - d /etc/audit/rules.d - - - - - L /etc/audit/rules.d/00-clear.rules - - - - /usr/share/audit/rules.d/00-clear.rules -L /etc/audit/rules.d/80-selinux.rules - - - - /usr/share/audit/rules.d/80-selinux.rules L /etc/audit/rules.d/99-default.rules - - - - /usr/share/audit/rules.d/99-default.rules diff --git a/sys-process/audit/files/rules.d/80-selinux.rules b/sys-process/audit/files/rules.d/80-selinux.rules deleted file mode 100644 index 627b17db3f..0000000000 --- a/sys-process/audit/files/rules.d/80-selinux.rules +++ /dev/null @@ -1,4 +0,0 @@ -# Enable all SELinux related events -# 1400 to 1499 are for kernel SELinux use (see /include/uapi/linux/audit.h) - --a exclude,never -F msgtype>=1400 -F msgtype<=1499 diff --git a/sys-process/audit/files/rules.d/99-default.rules b/sys-process/audit/files/rules.d/99-default.rules index cc373d8406..f295b9ddf0 100644 --- a/sys-process/audit/files/rules.d/99-default.rules +++ b/sys-process/audit/files/rules.d/99-default.rules @@ -1,5 +1,10 @@ -# Always report changes to the audit subsystem itself. --a exclude,never -F msgtype=CONFIG_CHANGE - +# Report changes to the audit subsystem (CONFIG_CHANGE). +# Report all SELinux related events (AVC). # Ignore everything else. --a exclude,always -F msgtype>0 +# +# Rules on the same line form an AND expression. +# Rules on on different lines form an OR expression. +# For info on configuring audit rules see the auditctl man page and +# https://github.com/torvalds/linux/blob/master/include/uapi/linux/audit.h + +-a always,exclude -F msgtype!=AVC -F msgtype!=CONFIG_CHANGE From 6a3bac2d528d6086ff975ca9fe4172209061b5f5 Mon Sep 17 00:00:00 2001 From: Geoff Levand Date: Wed, 23 May 2018 10:08:00 -0700 Subject: [PATCH 2/3] sys-process/audit: Fix arm64 runtime errors The --with-arm and --with-aarch64 configure script options need to be set when building for the arm64-usr target. Fixes runtime errors like these when adding machine/arch specific rules: # auditctl -a exit,always -S fchmod Error detecting machine type # auditctl -a exit,always -F arch=aarch64 -S fchmod arch elf mapping not found Signed-off-by: Geoff Levand --- sys-process/audit/audit-2.7.1.ebuild | 7 +++++++ 1 file changed, 7 insertions(+) diff --git a/sys-process/audit/audit-2.7.1.ebuild b/sys-process/audit/audit-2.7.1.ebuild index 7f8453ff8a..5d20712f7c 100644 --- a/sys-process/audit/audit-2.7.1.ebuild +++ b/sys-process/audit/audit-2.7.1.ebuild @@ -86,7 +86,14 @@ src_prepare() { multilib_src_configure() { local ECONF_SOURCE=${S} + local extra_conf + + if [[ "${ARCH}" == "arm64" ]]; then + extra_conf="--with-arm --with-aarch64" + fi + econf \ + ${extra_conf} \ --sbindir="${EPREFIX}/sbin" \ $(use_enable gssapi gssapi-krb5) \ $(use_enable static-libs static) \ From 36692e0fb6729344a66f5df1d172a3cd2e682e92 Mon Sep 17 00:00:00 2001 From: Geoff Levand Date: Wed, 23 May 2018 10:08:00 -0700 Subject: [PATCH 3/3] sys-process/audit: Bump revision --- sys-process/audit/{audit-2.7.1.ebuild => audit-2.7.1-r1.ebuild} | 0 1 file changed, 0 insertions(+), 0 deletions(-) rename sys-process/audit/{audit-2.7.1.ebuild => audit-2.7.1-r1.ebuild} (100%) diff --git a/sys-process/audit/audit-2.7.1.ebuild b/sys-process/audit/audit-2.7.1-r1.ebuild similarity index 100% rename from sys-process/audit/audit-2.7.1.ebuild rename to sys-process/audit/audit-2.7.1-r1.ebuild