74de835e2c
- Use libsepol.so.2 - Convert matchpathcon to selabel_lookup() - Change userspace AVC setenforce and policy load messages to audit format - Remove trailing slash on selabel_file lookups - Use kernel status page by default
39 lines
1.5 KiB
Diff
39 lines
1.5 KiB
Diff
From f5d644c7e633042b04189bfa428d88b9bb985f36 Mon Sep 17 00:00:00 2001
|
|
From: Chris PeBenito <chpebeni@linux.microsoft.com>
|
|
Date: Tue, 15 Sep 2020 13:33:31 -0400
|
|
Subject: [PATCH] libselinux: Add additional log callback details in man page
|
|
for auditing.
|
|
|
|
Add additional information about the log callback message types. Indicate
|
|
which types could be audited and the relevant audit record types for them.
|
|
|
|
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
|
|
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
|
|
---
|
|
libselinux/man/man3/selinux_set_callback.3 | 9 +++++++++
|
|
1 file changed, 9 insertions(+)
|
|
|
|
diff --git a/libselinux/man/man3/selinux_set_callback.3 b/libselinux/man/man3/selinux_set_callback.3
|
|
index 6dfe5ff6050f..75f49b06d836 100644
|
|
--- a/libselinux/man/man3/selinux_set_callback.3
|
|
+++ b/libselinux/man/man3/selinux_set_callback.3
|
|
@@ -51,6 +51,15 @@ argument indicates the type of message and will be set to one of the following:
|
|
|
|
.B SELINUX_SETENFORCE
|
|
|
|
+SELINUX_ERROR, SELINUX_WARNING, and SELINUX_INFO indicate standard log severity
|
|
+levels and are not auditable messages.
|
|
+
|
|
+The SELINUX_AVC, SELINUX_POLICYLOAD, and SELINUX_SETENFORCE message types can be
|
|
+audited with AUDIT_USER_AVC, AUDIT_USER_MAC_POLICY_LOAD, and AUDIT_USER_MAC_STATUS
|
|
+values from libaudit, respectively. If they are not audited, SELINUX_AVC should be
|
|
+considered equivalent to SELINUX_ERROR; similarly, SELINUX_POLICYLOAD and
|
|
+SELINUX_SETENFORCE should be considered equivalent to SELINUX_INFO.
|
|
+
|
|
.
|
|
.TP
|
|
.B SELINUX_CB_AUDIT
|
|
--
|
|
2.29.0
|
|
|