On Thu, Jul 30, 2020 at 10:29 AM peter enderborg <peter.enderborg@xxxxxxxx> wrote: > > I did manage to rebase it but this is about my approach. > > Compared to Thiébaud Weksteen patch this adds: > > 1 Filtering. Types goes to trace so we can put up a filter for contexts or type etc. > > 2 It tries also to cover non denies. And upon that you should be able to do coverage tools. > I think many systems have a lot more rules that what is needed, but there is good way > to find out what. A other way us to make a stat page for the rules, but this way connect to > userspace and can be used for test cases. > > This code need a lot more work, but it shows how the filter should work (extra info is not right) > and there are memory leaks, extra debug info and nonsense variable etc. Perhaps the two of you could work together to come up with a common tracepoint that addresses both needs. On the one hand, we don't need/want to duplicate the avc message itself; we just need enough to be able to correlate them. With respect to non-denials, SELinux auditallow statements can be used to generate avc: granted messages that can be used to support coverage tools although you can easily flood the logs that way. One other limitation of the other patch is that it doesn't support generating trace information for denials silenced by dontaudit rules, which might be challenging to debug especially on Android where you can't just run semodule -DB to strip all dontaudits.