perf/Documentation/security.txt

6 https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html
15 1. Download selinux-policy SRPM package (e.g. selinux-policy-3.14.4-48.fc31.src.rpm on FC31)
18    # rpm -Uhv selinux-policy-3.14.4-48.fc31.src.rpm
22    # rpmbuild -bp selinux-policy.spec
24 3. Place patch below at rpmbuild/BUILD/selinux-policy-b86eaaf4dbcf2d51dd4432df7185c0eaf3cbcc02
27    # patch -p1 < selinux-policy-perf-events-perfmon.patch
30    # cat selinux-policy-perf-events-perfmon.patch
31 diff -Nura a/policy/flask/access_vectors b/policy/flask/access_vectors
32 --- a/policy/flask/access_vectors	2020-02-04 18:19:53.000000000 +0300
33 +++ b/policy/flask/access_vectors	2020-02-28 23:37:25.000000000 +0300
34 @@ -174,6 +174,7 @@
42 @@ -1099,3 +1100,15 @@
58 diff -Nura a/policy/flask/security_classes b/policy/flask/security_classes
59 --- a/policy/flask/security_classes	2020-02-04 18:19:53.000000000 +0300
60 +++ b/policy/flask/security_classes	2020-02-28 21:35:17.000000000 +0300
61 @@ -200,4 +200,6 @@
71    # rpmbuild --noclean --noprep -ba selinux-policy.spec
75    # ls -alh rpmbuild/RPMS/noarch/
77    drwxr-xr-x. 2 root root 4.0K Mar 20 12:16 .
78    drwxr-xr-x. 3 root root 4.0K Mar 20 12:16 ..
79    -rw-r--r--. 1 root root 112K Mar 20 12:16 selinux-policy-3.14.4-48.fc31.noarch.rpm
80    -rw-r--r--. 1 root root 1.2M Mar 20 12:17 selinux-policy-devel-3.14.4-48.fc31.noarch.rpm
81    -rw-r--r--. 1 root root 2.3M Mar 20 12:17 selinux-policy-doc-3.14.4-48.fc31.noarch.rpm
82    -rw-r--r--. 1 root root  12M Mar 20 12:17 selinux-policy-minimum-3.14.4-48.fc31.noarch.rpm
83    -rw-r--r--. 1 root root 4.5M Mar 20 12:16 selinux-policy-mls-3.14.4-48.fc31.noarch.rpm
84    -rw-r--r--. 1 root root 111K Mar 20 12:16 selinux-policy-sandbox-3.14.4-48.fc31.noarch.rpm
85    -rw-r--r--. 1 root root  14M Mar 20 12:17 selinux-policy-targeted-3.14.4-48.fc31.noarch.rpm
90    # rpm -Uhv rpmbuild/RPMS/noarch/selinux-policy-*
98    #     enforcing - SELinux security policy is enforced.
99    #     permissive - SELinux prints warnings instead of enforcing.
100    #     disabled - No SELinux policy is loaded.
103    #     targeted - Targeted processes are protected,
104    #     minimum - Modification of targeted policy. Only selected processes are protected.
105    #     mls - Multi Level Security protection.
145    perf_event_paranoid setting is -1:
146      -1: Allow use of (almost) all events by all users
158    # journalctl --reverse --no-pager | grep perf_event
162 …beled unconfined_t. For complete SELinux messages run: sealert -l 4595ce5b-e58f-462c-9d86-3bc20749…
163 …xt=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconf…
169 Run the command below to generate my-perf.te policy extension file with
172    # ausearch -c 'perf' --raw | audit2allow -M my-perf && cat my-perf.te
174    module my-perf 1.0;
184 Now compile, pack and load my-perf.pp extension module into the kernel:
186    # checkmodule -M -m -o my-perf.mod my-perf.te
187    # semodule_package -o my-perf.pp -m my-perf.mod
188    # semodule -X 300 -i my-perf.pp
197          36,387.41 msec cpu-clock                 #    7.999 CPUs utilized
198              2,629      context-switches          #    0.072 K/sec
199                 57      cpu-migrations            #    0.002 K/sec
200                  1      page-faults               #    0.000 K/sec
204          1,259,201      branch-misses             #    6.42% of all branches
208 The generated perf-event.pp related policy extension module can be removed
211    # semodule -X 300 -r my-perf
216    # semodule -d my-perf
217    # semodule -e my-perf
228    # find / -mount -print0 | xargs -0 setfattr -h -x security.selinux
235 [1] https://download-ib01.fedoraproject.org/pub/fedora/linux/updates/31/Everything/SRPMS/Packages/s…
236 …ps://docs.fedoraproject.org/en-US/Fedora/11/html/Security-Enhanced_Linux/sect-Security-Enhanced_Li…