74de835e2c
- Use libsepol.so.2 - Convert matchpathcon to selabel_lookup() - Change userspace AVC setenforce and policy load messages to audit format - Remove trailing slash on selabel_file lookups - Use kernel status page by default
72 lines
2.3 KiB
Diff
72 lines
2.3 KiB
Diff
From a4149e0eab50092699f05217cbf10a60d84d8d20 Mon Sep 17 00:00:00 2001
|
|
From: Chris PeBenito <chpebeni@linux.microsoft.com>
|
|
Date: Thu, 27 Aug 2020 08:58:39 -0400
|
|
Subject: [PATCH] libselinux: Add new log callback levels for enforcing and
|
|
policy load notices.
|
|
|
|
This will enable userspace object managers to send proper audits for policy
|
|
loads and setenforce messages generated by the userspace AVC code.
|
|
|
|
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
|
|
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
|
|
---
|
|
libselinux/include/selinux/selinux.h | 2 ++
|
|
libselinux/man/man3/selinux_set_callback.3 | 5 +++++
|
|
libselinux/src/avc_internal.c | 4 ++--
|
|
3 files changed, 9 insertions(+), 2 deletions(-)
|
|
|
|
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
|
|
index c22834e58418..ae98a92e393e 100644
|
|
--- a/libselinux/include/selinux/selinux.h
|
|
+++ b/libselinux/include/selinux/selinux.h
|
|
@@ -182,6 +182,8 @@ extern void selinux_set_callback(int type, union selinux_callback cb);
|
|
#define SELINUX_WARNING 1
|
|
#define SELINUX_INFO 2
|
|
#define SELINUX_AVC 3
|
|
+#define SELINUX_POLICYLOAD 4
|
|
+#define SELINUX_SETENFORCE 5
|
|
#define SELINUX_TRANS_DIR "/var/run/setrans"
|
|
|
|
/* Compute an access decision. */
|
|
diff --git a/libselinux/man/man3/selinux_set_callback.3 b/libselinux/man/man3/selinux_set_callback.3
|
|
index a4c613ad5d85..6dfe5ff6050f 100644
|
|
--- a/libselinux/man/man3/selinux_set_callback.3
|
|
+++ b/libselinux/man/man3/selinux_set_callback.3
|
|
@@ -46,6 +46,11 @@ argument indicates the type of message and will be set to one of the following:
|
|
.B SELINUX_INFO
|
|
|
|
.B SELINUX_AVC
|
|
+
|
|
+.B SELINUX_POLICYLOAD
|
|
+
|
|
+.B SELINUX_SETENFORCE
|
|
+
|
|
.
|
|
.TP
|
|
.B SELINUX_CB_AUDIT
|
|
diff --git a/libselinux/src/avc_internal.c b/libselinux/src/avc_internal.c
|
|
index 4ef924527e10..572b2159c3ed 100644
|
|
--- a/libselinux/src/avc_internal.c
|
|
+++ b/libselinux/src/avc_internal.c
|
|
@@ -58,7 +58,7 @@ int avc_process_setenforce(int enforcing)
|
|
{
|
|
int rc = 0;
|
|
|
|
- avc_log(SELINUX_INFO,
|
|
+ avc_log(SELINUX_SETENFORCE,
|
|
"%s: received setenforce notice (enforcing=%d)\n",
|
|
avc_prefix, enforcing);
|
|
if (avc_setenforce)
|
|
@@ -80,7 +80,7 @@ int avc_process_policyload(uint32_t seqno)
|
|
{
|
|
int rc = 0;
|
|
|
|
- avc_log(SELINUX_INFO,
|
|
+ avc_log(SELINUX_POLICYLOAD,
|
|
"%s: received policyload notice (seqno=%u)\n",
|
|
avc_prefix, seqno);
|
|
rc = avc_ss_reset(seqno);
|
|
--
|
|
2.29.0
|
|
|