diff options
| author |   Richard Guy Briggs <rgb@redhat.com> | 2018-04-09 19:34:22 -0400 |
|---|---|---|
| committer |   Paul Moore <paul@paul-moore.com> | 2018-04-17 17:40:40 -0400 |
| commit | 4195ed425d3c77f4cf11f3511feeb723a8f48587 (patch) | |
| tree | edaae5ca81af1b9936e95059ff80e8fe86aacf39 | |
| parent | security: selinux: Change return type to vm_fault_t (diff) | |
| download | linux-dev-4195ed425d3c77f4cf11f3511feeb723a8f48587.tar.xz linux-dev-4195ed425d3c77f4cf11f3511feeb723a8f48587.zip | |
audit: normalize MAC_STATUS record
There were two formats of the audit MAC_STATUS record, one of which was more
standard than the other. One listed enforcing status changes and the
other listed enabled status changes with a non-standard label. In
addition, the record was missing information about which LSM was
responsible and the operation's completion status. While this record is
only issued on success, the parser expects the res= field to be present.
old enforcing/permissive:
type=MAC_STATUS msg=audit(1523312831.378:24514): enforcing=0 old_enforcing=1 auid=0 ses=1
old enable/disable:
type=MAC_STATUS msg=audit(1523312831.378:24514): selinux=0 auid=0 ses=1
List both sets of status and old values and add the lsm= field and the
res= field.
Here is the new format:
type=MAC_STATUS msg=audit(1523293828.657:891): enforcing=0 old_enforcing=1 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1
This record already accompanied a SYSCALL record.
See: https://github.com/linux-audit/audit-kernel/issues/46
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
[PM: 80-char fixes, merge fuzz, use new SELinux state functions]
Signed-off-by: Paul Moore <paul@paul-moore.com>
| -rw-r--r-- | security/selinux/selinuxfs.c | 14 |
1 files changed, 10 insertions, 4 deletions
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 6128f5293056..ace893568b98 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -168,10 +168,12 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf, if (length) goto out; audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS, - "enforcing=%d old_enforcing=%d auid=%u ses=%u", + "enforcing=%d old_enforcing=%d auid=%u ses=%u" + " enabled=%d old-enabled=%d lsm=selinux res=1", new_value, old_value, from_kuid(&init_user_ns, audit_get_loginuid(current)), - audit_get_sessionid(current)); + audit_get_sessionid(current), + selinux_enabled, selinux_enabled); enforcing_set(state, new_value); if (new_value) avc_ss_reset(state->avc, 0); @@ -279,6 +281,7 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf, char *page; ssize_t length; int new_value; + int enforcing; if (count >= PAGE_SIZE) return -ENOMEM; @@ -296,13 +299,16 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf, goto out; if (new_value) { + enforcing = enforcing_enabled(fsi->state); length = selinux_disable(fsi->state); if (length) goto out; audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS, - "selinux=0 auid=%u ses=%u", + "enforcing=%d old_enforcing=%d auid=%u ses=%u" + " enabled=%d old-enabled=%d lsm=selinux res=1", + enforcing, enforcing, from_kuid(&init_user_ns, audit_get_loginuid(current)), - audit_get_sessionid(current)); + audit_get_sessionid(current), 0, 1); } length = count; |