libselinux/0009-libselinux-Add-additional-log-callback-details-in-ma.patch
Petr Lautrbach 74de835e2c Rebase on db0f2f382e31 at SELinuxProject
- Use libsepol.so.2
- Convert matchpathcon to selabel_lookup()
- Change userspace AVC setenforce and policy load messages to audit
  format
- Remove trailing slash on selabel_file lookups
- Use kernel status page by default
2020-10-30 12:56:19 +01:00

39 lines
1.5 KiB
Diff

From f5d644c7e633042b04189bfa428d88b9bb985f36 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Tue, 15 Sep 2020 13:33:31 -0400
Subject: [PATCH] libselinux: Add additional log callback details in man page
for auditing.
Add additional information about the log callback message types. Indicate
which types could be audited and the relevant audit record types for them.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
libselinux/man/man3/selinux_set_callback.3 | 9 +++++++++
1 file changed, 9 insertions(+)
diff --git a/libselinux/man/man3/selinux_set_callback.3 b/libselinux/man/man3/selinux_set_callback.3
index 6dfe5ff6050f..75f49b06d836 100644
--- a/libselinux/man/man3/selinux_set_callback.3
+++ b/libselinux/man/man3/selinux_set_callback.3
@@ -51,6 +51,15 @@ argument indicates the type of message and will be set to one of the following:
.B SELINUX_SETENFORCE
+SELINUX_ERROR, SELINUX_WARNING, and SELINUX_INFO indicate standard log severity
+levels and are not auditable messages.
+
+The SELINUX_AVC, SELINUX_POLICYLOAD, and SELINUX_SETENFORCE message types can be
+audited with AUDIT_USER_AVC, AUDIT_USER_MAC_POLICY_LOAD, and AUDIT_USER_MAC_STATUS
+values from libaudit, respectively. If they are not audited, SELINUX_AVC should be
+considered equivalent to SELINUX_ERROR; similarly, SELINUX_POLICYLOAD and
+SELINUX_SETENFORCE should be considered equivalent to SELINUX_INFO.
+
.
.TP
.B SELINUX_CB_AUDIT
--
2.29.0