diff options
author | Steve Grubb <sgrubb@redhat.com> | 2006-01-04 09:08:39 -0500 |
---|---|---|
committer | Al Viro <viro@zeniv.linux.org.uk> | 2006-03-20 14:08:54 -0500 |
commit | af601e4623d0303bfafa54ec728b7ae8493a8e1b (patch) | |
tree | 5f79d5ae42eeccfc1ffaf8e82a1999e4d3af793e /security | |
parent | d884596f44ef5a0bcd8a66405dc04902aeaa6fc7 (diff) |
[PATCH] SE Linux audit events
Attached is a patch that hardwires important SE Linux events to the audit
system. Please Apply.
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/selinuxfs.c | 11 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 15 |
2 files changed, 20 insertions, 6 deletions
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index b5fa02d17b1..5eba6664eac 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
@@ -21,6 +21,7 @@ | |||
21 | #include <linux/major.h> | 21 | #include <linux/major.h> |
22 | #include <linux/seq_file.h> | 22 | #include <linux/seq_file.h> |
23 | #include <linux/percpu.h> | 23 | #include <linux/percpu.h> |
24 | #include <linux/audit.h> | ||
24 | #include <asm/uaccess.h> | 25 | #include <asm/uaccess.h> |
25 | #include <asm/semaphore.h> | 26 | #include <asm/semaphore.h> |
26 | 27 | ||
@@ -126,6 +127,10 @@ static ssize_t sel_write_enforce(struct file * file, const char __user * buf, | |||
126 | length = task_has_security(current, SECURITY__SETENFORCE); | 127 | length = task_has_security(current, SECURITY__SETENFORCE); |
127 | if (length) | 128 | if (length) |
128 | goto out; | 129 | goto out; |
130 | audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS, | ||
131 | "enforcing=%d old_enforcing=%d auid=%u", new_value, | ||
132 | selinux_enforcing, | ||
133 | audit_get_loginuid(current->audit_context)); | ||
129 | selinux_enforcing = new_value; | 134 | selinux_enforcing = new_value; |
130 | if (selinux_enforcing) | 135 | if (selinux_enforcing) |
131 | avc_ss_reset(0); | 136 | avc_ss_reset(0); |
@@ -176,6 +181,9 @@ static ssize_t sel_write_disable(struct file * file, const char __user * buf, | |||
176 | length = selinux_disable(); | 181 | length = selinux_disable(); |
177 | if (length < 0) | 182 | if (length < 0) |
178 | goto out; | 183 | goto out; |
184 | audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS, | ||
185 | "selinux=0 auid=%u", | ||
186 | audit_get_loginuid(current->audit_context)); | ||
179 | } | 187 | } |
180 | 188 | ||
181 | length = count; | 189 | length = count; |
@@ -261,6 +269,9 @@ static ssize_t sel_write_load(struct file * file, const char __user * buf, | |||
261 | length = ret; | 269 | length = ret; |
262 | else | 270 | else |
263 | length = count; | 271 | length = count; |
272 | audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD, | ||
273 | "policy loaded auid=%u", | ||
274 | audit_get_loginuid(current->audit_context)); | ||
264 | out: | 275 | out: |
265 | up(&sel_sem); | 276 | up(&sel_sem); |
266 | vfree(data); | 277 | vfree(data); |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 8a764928ff4..d877cd16a81 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -1758,19 +1758,22 @@ int security_set_bools(int len, int *values) | |||
1758 | goto out; | 1758 | goto out; |
1759 | } | 1759 | } |
1760 | 1760 | ||
1761 | printk(KERN_INFO "security: committed booleans { "); | ||
1762 | for (i = 0; i < len; i++) { | 1761 | for (i = 0; i < len; i++) { |
1762 | if (!!values[i] != policydb.bool_val_to_struct[i]->state) { | ||
1763 | audit_log(current->audit_context, GFP_ATOMIC, | ||
1764 | AUDIT_MAC_CONFIG_CHANGE, | ||
1765 | "bool=%s val=%d old_val=%d auid=%u", | ||
1766 | policydb.p_bool_val_to_name[i], | ||
1767 | !!values[i], | ||
1768 | policydb.bool_val_to_struct[i]->state, | ||
1769 | audit_get_loginuid(current->audit_context)); | ||
1770 | } | ||
1763 | if (values[i]) { | 1771 | if (values[i]) { |
1764 | policydb.bool_val_to_struct[i]->state = 1; | 1772 | policydb.bool_val_to_struct[i]->state = 1; |
1765 | } else { | 1773 | } else { |
1766 | policydb.bool_val_to_struct[i]->state = 0; | 1774 | policydb.bool_val_to_struct[i]->state = 0; |
1767 | } | 1775 | } |
1768 | if (i != 0) | ||
1769 | printk(", "); | ||
1770 | printk("%s:%d", policydb.p_bool_val_to_name[i], | ||
1771 | policydb.bool_val_to_struct[i]->state); | ||
1772 | } | 1776 | } |
1773 | printk(" }\n"); | ||
1774 | 1777 | ||
1775 | for (cur = policydb.cond_list; cur != NULL; cur = cur->next) { | 1778 | for (cur = policydb.cond_list; cur != NULL; cur = cur->next) { |
1776 | rc = evaluate_cond_node(&policydb, cur); | 1779 | rc = evaluate_cond_node(&policydb, cur); |