libselinux/0007-libselinux-Add-new-log-callback-levels-for-enforcing.patch
Petr Lautrbach 74de835e2c Rebase on db0f2f382e31 at SELinuxProject
- Use libsepol.so.2
- Convert matchpathcon to selabel_lookup()
- Change userspace AVC setenforce and policy load messages to audit
  format
- Remove trailing slash on selabel_file lookups
- Use kernel status page by default
2020-10-30 12:56:19 +01:00

72 lines
2.3 KiB
Diff

From a4149e0eab50092699f05217cbf10a60d84d8d20 Mon Sep 17 00:00:00 2001
From: Chris PeBenito <chpebeni@linux.microsoft.com>
Date: Thu, 27 Aug 2020 08:58:39 -0400
Subject: [PATCH] libselinux: Add new log callback levels for enforcing and
policy load notices.
This will enable userspace object managers to send proper audits for policy
loads and setenforce messages generated by the userspace AVC code.
Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>
Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
---
libselinux/include/selinux/selinux.h | 2 ++
libselinux/man/man3/selinux_set_callback.3 | 5 +++++
libselinux/src/avc_internal.c | 4 ++--
3 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index c22834e58418..ae98a92e393e 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -182,6 +182,8 @@ extern void selinux_set_callback(int type, union selinux_callback cb);
#define SELINUX_WARNING 1
#define SELINUX_INFO 2
#define SELINUX_AVC 3
+#define SELINUX_POLICYLOAD 4
+#define SELINUX_SETENFORCE 5
#define SELINUX_TRANS_DIR "/var/run/setrans"
/* Compute an access decision. */
diff --git a/libselinux/man/man3/selinux_set_callback.3 b/libselinux/man/man3/selinux_set_callback.3
index a4c613ad5d85..6dfe5ff6050f 100644
--- a/libselinux/man/man3/selinux_set_callback.3
+++ b/libselinux/man/man3/selinux_set_callback.3
@@ -46,6 +46,11 @@ argument indicates the type of message and will be set to one of the following:
.B SELINUX_INFO
.B SELINUX_AVC
+
+.B SELINUX_POLICYLOAD
+
+.B SELINUX_SETENFORCE
+
.
.TP
.B SELINUX_CB_AUDIT
diff --git a/libselinux/src/avc_internal.c b/libselinux/src/avc_internal.c
index 4ef924527e10..572b2159c3ed 100644
--- a/libselinux/src/avc_internal.c
+++ b/libselinux/src/avc_internal.c
@@ -58,7 +58,7 @@ int avc_process_setenforce(int enforcing)
{
int rc = 0;
- avc_log(SELINUX_INFO,
+ avc_log(SELINUX_SETENFORCE,
"%s: received setenforce notice (enforcing=%d)\n",
avc_prefix, enforcing);
if (avc_setenforce)
@@ -80,7 +80,7 @@ int avc_process_policyload(uint32_t seqno)
{
int rc = 0;
- avc_log(SELINUX_INFO,
+ avc_log(SELINUX_POLICYLOAD,
"%s: received policyload notice (seqno=%u)\n",
avc_prefix, seqno);
rc = avc_ss_reset(seqno);
--
2.29.0