On Tue, Feb 2, 2021 at 10:46 PM Paul Moore <p...@paul-moore.com> wrote: > On Tue, Feb 2, 2021 at 4:44 PM Daniel Walker (danielwa) > <danie...@cisco.com> wrote: > > On Tue, Feb 02, 2021 at 04:35:42PM -0500, Paul Moore wrote: > > > On Tue, Feb 2, 2021 at 4:29 PM Daniel Walker <danie...@cisco.com> wrote: > > > > From: Victor Kamensky <kamen...@cisco.com> > > > > > > > > To efficiently find out where SELinux AVC denial is comming from > > > > take backtrace of user land process and display it as type=UBACKTRACE > > > > message that comes as audit context for SELinux AVC and other audit > > > > messages ... > > > > > > Have you tried the new perf tracepoint for SELinux AVC decisions that > > > trigger an audit event? It's a new feature for v5.10 and looks to > > > accomplish most of what you are looking for with this patch. > > > > > > * https://www.paul-moore.com/blog/d/2020/12/linux_v510.html > > > > We haven't tried it, but I can look into it. We're not using v5.10 > > extensively > > yet. > > Let us know if that works for you, and if it doesn't, let us know what > might be missing. I hate seeing the kernel grow multiple features > which do the same thing.
I agree - I played around with this new tracepoint recently and you can use it to achieve what you want quite easily: # collect traces for denials (just interrupt/kill the sleep process when done) - will create a perf.data file you can analyze later perf record -a -e avc:selinux_audited -g --call-graph=dwarf sleep infinity # dump all collected backtraces from the perf.data file perf script It's a bit complicated if you want to have it running in the background permanently as a service (you need to tell perf to dump the recorded data before you can read it), but perf already has some command-line options to help with that use case. -- Ondrej Mosnacek Software Engineer, Linux Security - SELinux kernel Red Hat, Inc.
