audit: normalize MAC_STATUS record

There were two formats of the audit MAC_STATUS record, one of which was more standard than the other. One listed enforcing status changes and the other listed enabled status changes with a non-standard label. In addition, the record was missing information about which LSM was responsible and the operation's completion status. While this record is only issued on success, the parser expects the res= field to be present. old enforcing/permissive: type=MAC_STATUS msg=audit(1523312831.378:24514): enforcing=0 old_enforcing=1 auid=0 ses=1 old enable/disable: type=MAC_STATUS msg=audit(1523312831.378:24514): selinux=0 auid=0 ses=1 List both sets of status and old values and add the lsm= field and the res= field. Here is the new format: type=MAC_STATUS msg=audit(1523293828.657:891): enforcing=0 old_enforcing=1 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1 This record already accompanied a SYSCALL record. See: https://github.com/linux-audit/audit-kernel/issues/46 Signed-off-by: Richard Guy Briggs <rgb@redhat.com> [PM: 80-char fixes, merge fuzz, use new SELinux state functions] Signed-off-by: Paul Moore <paul@paul-moore.com>
author: Richard Guy Briggs <rgb@redhat.com> 2018-04-09 19:34:22 -0400
committer: Paul Moore <paul@paul-moore.com> 2018-04-17 17:40:40 -0400
commit: 4195ed425d3c77f4cf11f3511feeb723a8f48587 (patch)
tree: edaae5ca81af1b9936e95059ff80e8fe86aacf39
parent: ac9a1f6db35521df6da1b81ae70eb665beed35c8 (diff)
1 files changed, 10 insertions, 4 deletions
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 6128f5293056..ace893568b98 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -168,10 +168,12 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
                if (length)
                        goto out;
                audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
-                        "enforcing=%d old_enforcing=%d auid=%u ses=%u",
+                        "enforcing=%d old_enforcing=%d auid=%u ses=%u"
+                        " enabled=%d old-enabled=%d lsm=selinux res=1",
                        new_value, old_value,
                        from_kuid(&init_user_ns, audit_get_loginuid(current)),
-                        audit_get_sessionid(current));
+                        audit_get_sessionid(current),
+                        selinux_enabled, selinux_enabled);
                enforcing_set(state, new_value);
                if (new_value)
                        avc_ss_reset(state->avc, 0);
@@ -279,6 +281,7 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
        char *page;
        ssize_t length;
        int new_value;
+        int enforcing;
        if (count >= PAGE_SIZE)
                return -ENOMEM;
@@ -296,13 +299,16 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
                goto out;
        if (new_value) {
+                enforcing = enforcing_enabled(fsi->state);
                length = selinux_disable(fsi->state);
                if (length)
                        goto out;
                audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
-                        "selinux=0 auid=%u ses=%u",
+                        "enforcing=%d old_enforcing=%d auid=%u ses=%u"
+                        " enabled=%d old-enabled=%d lsm=selinux res=1",
+                        enforcing, enforcing,
                        from_kuid(&init_user_ns, audit_get_loginuid(current)),
-                        audit_get_sessionid(current));
+                        audit_get_sessionid(current), 0, 1);
        }
        length = count;
author	Richard Guy Briggs <rgb@redhat.com>	2018-04-09 19:34:22 -0400
committer	Paul Moore <paul@paul-moore.com>	2018-04-17 17:40:40 -0400
commit	4195ed425d3c77f4cf11f3511feeb723a8f48587 (patch)
tree	edaae5ca81af1b9936e95059ff80e8fe86aacf39
parent	ac9a1f6db35521df6da1b81ae70eb665beed35c8 (diff)