Skip to content

Enable dbus audit logs.#5754

Merged
anphel31 merged 2 commits into
microsoft:mainfrom
cwize1:user/chrisgun/DBusAudit
Jun 29, 2023
Merged

Enable dbus audit logs.#5754
anphel31 merged 2 commits into
microsoft:mainfrom
cwize1:user/chrisgun/DBusAudit

Conversation

@cwize1

@cwize1 cwize1 commented Jun 27, 2023

Copy link
Copy Markdown
Merge Checklist

All boxes should be checked before merging the PR (just tick any boxes which don't apply to this PR)

  • The toolchain has been rebuilt successfully (or no changes were made to it)
  • The toolchain/worker package manifests are up-to-date
  • Any updated packages successfully build (or no packages were changed)
  • Packages depending on static components modified in this PR (Golang, *-static subpackages, etc.) have had their Release tag incremented.
  • Package tests (%check section) have been verified with RUN_CHECK=y for existing SPEC files, or added to new SPEC files
  • All package sources are available
  • cgmanifest files are up-to-date and sorted (./cgmanifest.json, ./toolkit/scripts/toolchain/cgmanifest.json, .github/workflows/cgmanifest.json)
  • LICENSE-MAP files are up-to-date (./SPECS/LICENSES-AND-NOTICES/data/licenses.json, ./SPECS/LICENSES-AND-NOTICES/LICENSES-MAP.md, ./SPECS/LICENSES-AND-NOTICES/LICENSE-EXCEPTIONS.PHOTON)
  • All source files have up-to-date hashes in the *.signatures.json files
  • sudo make go-tidy-all and sudo make go-test-coverage pass
  • Documentation has been updated to match any changes to the build system
  • Ready to merge

Summary

dbus has implemented its own SELinux rules. When dbus blocks an operation based on SELinux, it has logic to log the violation to the security audit logs (as it should). Unfortunatley, this logic is currently incorrectly disabled by a build flag. This changes fixes this problem.

Note: The audit client lib supports and actively encourages clients to not fail when the audit service is not available on the system. So, this does not add a dependency on the audit package.

Change Log
  • Enable dbus audit logs.
Does this affect the toolchain?

NO

Test Methodology

Ran a command that was known to trigger dbus SELinux violation (while using an SELinux enable image) and ensured that the correct log showed up in the audit logs.

@cwize1 cwize1 requested a review from a team as a code owner June 27, 2023 22:52
@anphel31

Copy link
Copy Markdown
Member

Please change the target branch to main instead of 2.0

@cwize1 cwize1 changed the base branch from 2.0 to main June 28, 2023 21:23
dbus has implemented its own SELinux rules. When dbus blocks an
operation based on SELinux, it has logic to log the violation to the
security audit logs (as it should). Unfortunatley, this logic is
currently incorrectly disabled by a build flag. This changes fixes this
problem.

Note: The audit client lib supports and actively encourages clients to
not fail when the audit service is not available on the system. So,
this does not add a dependency on the audit package.
@cwize1 cwize1 force-pushed the user/chrisgun/DBusAudit branch from 5666ea9 to 934207b Compare June 28, 2023 21:24
@microsoft-github-policy-service microsoft-github-policy-service Bot added the main PR Destined for main label Jun 28, 2023
@anphel31

Copy link
Copy Markdown
Member

@anphel31 anphel31 merged commit d97c132 into microsoft:main Jun 29, 2023
@cwize1 cwize1 deleted the user/chrisgun/DBusAudit branch July 20, 2023 17:48
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

main PR Destined for main

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants