^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 1) Overview
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 2) ========
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 3)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 4) For general security related questions of perf_event_open() syscall usage,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 5) performance monitoring and observability operations by Perf see here:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 6) https://www.kernel.org/doc/html/latest/admin-guide/perf-security.html
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 7)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 8) Enabling LSM based mandatory access control (MAC) to perf_event_open() syscall
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 9) ==============================================================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 10)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 11) LSM hooks for mandatory access control for perf_event_open() syscall can be
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 12) used starting from Linux v5.3. Below are the steps to extend Fedora (v31) with
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 13) Targeted policy with perf_event_open() access control capabilities:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 14)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 15) 1. Download selinux-policy SRPM package (e.g. selinux-policy-3.14.4-48.fc31.src.rpm on FC31)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 16) and install it so rpmbuild directory would exist in the current working directory:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 17)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 18) # rpm -Uhv selinux-policy-3.14.4-48.fc31.src.rpm
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 19)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 20) 2. Get into rpmbuild/SPECS directory and unpack the source code:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 21)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 22) # rpmbuild -bp selinux-policy.spec
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 23)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 24) 3. Place patch below at rpmbuild/BUILD/selinux-policy-b86eaaf4dbcf2d51dd4432df7185c0eaf3cbcc02
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 25) directory and apply it:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 26)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 27) # patch -p1 < selinux-policy-perf-events-perfmon.patch
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 28) patching file policy/flask/access_vectors
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 29) patching file policy/flask/security_classes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 30) # cat selinux-policy-perf-events-perfmon.patch
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 31) diff -Nura a/policy/flask/access_vectors b/policy/flask/access_vectors
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 32) --- a/policy/flask/access_vectors 2020-02-04 18:19:53.000000000 +0300
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 33) +++ b/policy/flask/access_vectors 2020-02-28 23:37:25.000000000 +0300
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 34) @@ -174,6 +174,7 @@
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 35) wake_alarm
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 36) block_suspend
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 37) audit_read
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 38) + perfmon
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 39) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 40)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 41) #
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 42) @@ -1099,3 +1100,15 @@
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 43)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 44) class xdp_socket
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 45) inherits socket
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 46) +
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 47) +class perf_event
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 48) +{
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 49) + open
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 50) + cpu
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 51) + kernel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 52) + tracepoint
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 53) + read
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 54) + write
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 55) +}
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 56) +
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 57) +
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 58) diff -Nura a/policy/flask/security_classes b/policy/flask/security_classes
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 59) --- a/policy/flask/security_classes 2020-02-04 18:19:53.000000000 +0300
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 60) +++ b/policy/flask/security_classes 2020-02-28 21:35:17.000000000 +0300
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 61) @@ -200,4 +200,6 @@
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 62)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 63) class xdp_socket
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 64)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 65) +class perf_event
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 66) +
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 67) # FLASK
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 68)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 69) 4. Get into rpmbuild/SPECS directory and build policy packages from patched sources:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 70)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 71) # rpmbuild --noclean --noprep -ba selinux-policy.spec
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 72)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 73) so you have this:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 74)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 75) # ls -alh rpmbuild/RPMS/noarch/
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 76) total 33M
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 77) drwxr-xr-x. 2 root root 4.0K Mar 20 12:16 .
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 78) drwxr-xr-x. 3 root root 4.0K Mar 20 12:16 ..
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 79) -rw-r--r--. 1 root root 112K Mar 20 12:16 selinux-policy-3.14.4-48.fc31.noarch.rpm
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 80) -rw-r--r--. 1 root root 1.2M Mar 20 12:17 selinux-policy-devel-3.14.4-48.fc31.noarch.rpm
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 81) -rw-r--r--. 1 root root 2.3M Mar 20 12:17 selinux-policy-doc-3.14.4-48.fc31.noarch.rpm
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 82) -rw-r--r--. 1 root root 12M Mar 20 12:17 selinux-policy-minimum-3.14.4-48.fc31.noarch.rpm
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 83) -rw-r--r--. 1 root root 4.5M Mar 20 12:16 selinux-policy-mls-3.14.4-48.fc31.noarch.rpm
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 84) -rw-r--r--. 1 root root 111K Mar 20 12:16 selinux-policy-sandbox-3.14.4-48.fc31.noarch.rpm
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 85) -rw-r--r--. 1 root root 14M Mar 20 12:17 selinux-policy-targeted-3.14.4-48.fc31.noarch.rpm
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 86)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 87) 5. Install SELinux packages from Fedora repo, if not already done so, and
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 88) update with the patched rpms above:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 89)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 90) # rpm -Uhv rpmbuild/RPMS/noarch/selinux-policy-*
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 91)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 92) 6. Enable SELinux Permissive mode for Targeted policy, if not already done so:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 93)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 94) # cat /etc/selinux/config
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 95)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 96) # This file controls the state of SELinux on the system.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 97) # SELINUX= can take one of these three values:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 98) # enforcing - SELinux security policy is enforced.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 99) # permissive - SELinux prints warnings instead of enforcing.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 100) # disabled - No SELinux policy is loaded.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 101) SELINUX=permissive
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 102) # SELINUXTYPE= can take one of these three values:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 103) # targeted - Targeted processes are protected,
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 104) # minimum - Modification of targeted policy. Only selected processes are protected.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 105) # mls - Multi Level Security protection.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 106) SELINUXTYPE=targeted
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 107)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 108) 7. Enable filesystem SELinux labeling at the next reboot:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 109)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 110) # touch /.autorelabel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 111)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 112) 8. Reboot machine and it will label filesystems and load Targeted policy into the kernel;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 113)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 114) 9. Login and check that dmesg output doesn't mention that perf_event class is unknown to SELinux subsystem;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 115)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 116) 10. Check that SELinux is enabled and in Permissive mode
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 117)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 118) # getenforce
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 119) Permissive
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 120)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 121) 11. Turn SELinux into Enforcing mode:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 122)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 123) # setenforce 1
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 124) # getenforce
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 125) Enforcing
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 126)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 127) Opening access to perf_event_open() syscall on Fedora with SELinux
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 128) ==================================================================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 129)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 130) Access to performance monitoring and observability operations by Perf
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 131) can be limited for superuser or CAP_PERFMON or CAP_SYS_ADMIN privileged
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 132) processes. MAC policy settings (e.g. SELinux) can be loaded into the kernel
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 133) and prevent unauthorized access to perf_event_open() syscall. In such case
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 134) Perf tool provides a message similar to the one below:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 135)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 136) # perf stat
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 137) Error:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 138) Access to performance monitoring and observability operations is limited.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 139) Enforced MAC policy settings (SELinux) can limit access to performance
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 140) monitoring and observability operations. Inspect system audit records for
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 141) more perf_event access control information and adjusting the policy.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 142) Consider adjusting /proc/sys/kernel/perf_event_paranoid setting to open
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 143) access to performance monitoring and observability operations for users
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 144) without CAP_PERFMON or CAP_SYS_ADMIN Linux capability.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 145) perf_event_paranoid setting is -1:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 146) -1: Allow use of (almost) all events by all users
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 147) Ignore mlock limit after perf_event_mlock_kb without CAP_IPC_LOCK
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 148) >= 0: Disallow raw and ftrace function tracepoint access
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 149) >= 1: Disallow CPU event access
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 150) >= 2: Disallow kernel profiling
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 151) To make the adjusted perf_event_paranoid setting permanent preserve it
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 152) in /etc/sysctl.conf (e.g. kernel.perf_event_paranoid = <setting>)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 153)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 154) To make sure that access is limited by MAC policy settings inspect system
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 155) audit records using journalctl command or /var/log/audit/audit.log so the
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 156) output would contain AVC denied records related to perf_event:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 157)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 158) # journalctl --reverse --no-pager | grep perf_event
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 159)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 160) python3[1318099]: SELinux is preventing perf from open access on the perf_event labeled unconfined_t.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 161) If you believe that perf should be allowed open access on perf_event labeled unconfined_t by default.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 162) setroubleshoot[1318099]: SELinux is preventing perf from open access on the perf_event labeled unconfined_t. For complete SELinux messages run: sealert -l 4595ce5b-e58f-462c-9d86-3bc2074935de
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 163) audit[1318098]: AVC avc: denied { open } for pid=1318098 comm="perf" scontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tcontext=unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023 tclass=perf_event permissive=0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 164)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 165) In order to open access to perf_event_open() syscall MAC policy settings can
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 166) require to be extended. On SELinux system this can be done by loading a special
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 167) policy module extending base policy settings. Perf related policy module can
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 168) be generated using the system audit records about blocking perf_event access.
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 169) Run the command below to generate my-perf.te policy extension file with
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 170) perf_event related rules:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 171)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 172) # ausearch -c 'perf' --raw | audit2allow -M my-perf && cat my-perf.te
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 173)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 174) module my-perf 1.0;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 175)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 176) require {
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 177) type unconfined_t;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 178) class perf_event { cpu kernel open read tracepoint write };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 179) }
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 180)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 181) #============= unconfined_t ==============
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 182) allow unconfined_t self:perf_event { cpu kernel open read tracepoint write };
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 183)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 184) Now compile, pack and load my-perf.pp extension module into the kernel:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 185)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 186) # checkmodule -M -m -o my-perf.mod my-perf.te
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 187) # semodule_package -o my-perf.pp -m my-perf.mod
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 188) # semodule -X 300 -i my-perf.pp
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 189)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 190) After all those taken steps above access to perf_event_open() syscall should
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 191) now be allowed by the policy settings. Check access running Perf like this:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 192)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 193) # perf stat
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 194) ^C
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 195) Performance counter stats for 'system wide':
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 196)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 197) 36,387.41 msec cpu-clock # 7.999 CPUs utilized
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 198) 2,629 context-switches # 0.072 K/sec
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 199) 57 cpu-migrations # 0.002 K/sec
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 200) 1 page-faults # 0.000 K/sec
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 201) 263,721,559 cycles # 0.007 GHz
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 202) 175,746,713 instructions # 0.67 insn per cycle
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 203) 19,628,798 branches # 0.539 M/sec
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 204) 1,259,201 branch-misses # 6.42% of all branches
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 205)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 206) 4.549061439 seconds time elapsed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 207)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 208) The generated perf-event.pp related policy extension module can be removed
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 209) from the kernel using this command:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 210)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 211) # semodule -X 300 -r my-perf
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 212)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 213) Alternatively the module can be temporarily disabled and enabled back using
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 214) these two commands:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 215)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 216) # semodule -d my-perf
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 217) # semodule -e my-perf
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 218)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 219) If something went wrong
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 220) =======================
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 221)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 222) To turn SELinux into Permissive mode:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 223) # setenforce 0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 224)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 225) To fully disable SELinux during kernel boot [3] set kernel command line parameter selinux=0
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 226)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 227) To remove SELinux labeling from local filesystems:
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 228) # find / -mount -print0 | xargs -0 setfattr -h -x security.selinux
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 229)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 230) To fully turn SELinux off a machine set SELINUX=disabled at /etc/selinux/config file and reboot;
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 231)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 232) Links
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 233) =====
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 234)
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 235) [1] https://download-ib01.fedoraproject.org/pub/fedora/linux/updates/31/Everything/SRPMS/Packages/s/selinux-policy-3.14.4-49.fc31.src.rpm
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 236) [2] https://docs.fedoraproject.org/en-US/Fedora/11/html/Security-Enhanced_Linux/sect-Security-Enhanced_Linux-Working_with_SELinux-Enabling_and_Disabling_SELinux.html
^8f3ce5b39 (kx 2023-10-28 12:00:06 +0300 237) [3] https://danwalsh.livejournal.com/10972.html
Orange Pi5 kernel
Deprecated Linux kernel 5.10.110 for OrangePi 5/5B/5+ boards
3 Commits
0 Branches
0 Tags