aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSteve Grubb <sgrubb@redhat.com>2006-01-04 09:08:39 -0500
committerAl Viro <viro@zeniv.linux.org.uk>2006-03-20 14:08:54 -0500
commitaf601e4623d0303bfafa54ec728b7ae8493a8e1b (patch)
tree5f79d5ae42eeccfc1ffaf8e82a1999e4d3af793e
parentd884596f44ef5a0bcd8a66405dc04902aeaa6fc7 (diff)
[PATCH] SE Linux audit events
Attached is a patch that hardwires important SE Linux events to the audit system. Please Apply. Signed-off-by: Steve Grubb <sgrubb@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
-rw-r--r--include/linux/audit.h3
-rw-r--r--security/selinux/selinuxfs.c11
-rw-r--r--security/selinux/ss/services.c15
3 files changed, 23 insertions, 6 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index fbc21d6267f3..8868c96ca8a2 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -83,6 +83,9 @@
83#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ 83#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
84#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ 84#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
85#define AUDIT_AVC_PATH 1402 /* dentry, vfsmount pair from avc */ 85#define AUDIT_AVC_PATH 1402 /* dentry, vfsmount pair from avc */
86#define AUDIT_MAC_POLICY_LOAD 1403 /* Policy file load */
87#define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */
88#define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */
86 89
87#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ 90#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
88 91
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index b5fa02d17b1e..5eba6664eac0 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -21,6 +21,7 @@
21#include <linux/major.h> 21#include <linux/major.h>
22#include <linux/seq_file.h> 22#include <linux/seq_file.h>
23#include <linux/percpu.h> 23#include <linux/percpu.h>
24#include <linux/audit.h>
24#include <asm/uaccess.h> 25#include <asm/uaccess.h>
25#include <asm/semaphore.h> 26#include <asm/semaphore.h>
26 27
@@ -126,6 +127,10 @@ static ssize_t sel_write_enforce(struct file * file, const char __user * buf,
126 length = task_has_security(current, SECURITY__SETENFORCE); 127 length = task_has_security(current, SECURITY__SETENFORCE);
127 if (length) 128 if (length)
128 goto out; 129 goto out;
130 audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
131 "enforcing=%d old_enforcing=%d auid=%u", new_value,
132 selinux_enforcing,
133 audit_get_loginuid(current->audit_context));
129 selinux_enforcing = new_value; 134 selinux_enforcing = new_value;
130 if (selinux_enforcing) 135 if (selinux_enforcing)
131 avc_ss_reset(0); 136 avc_ss_reset(0);
@@ -176,6 +181,9 @@ static ssize_t sel_write_disable(struct file * file, const char __user * buf,
176 length = selinux_disable(); 181 length = selinux_disable();
177 if (length < 0) 182 if (length < 0)
178 goto out; 183 goto out;
184 audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
185 "selinux=0 auid=%u",
186 audit_get_loginuid(current->audit_context));
179 } 187 }
180 188
181 length = count; 189 length = count;
@@ -261,6 +269,9 @@ static ssize_t sel_write_load(struct file * file, const char __user * buf,
261 length = ret; 269 length = ret;
262 else 270 else
263 length = count; 271 length = count;
272 audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
273 "policy loaded auid=%u",
274 audit_get_loginuid(current->audit_context));
264out: 275out:
265 up(&sel_sem); 276 up(&sel_sem);
266 vfree(data); 277 vfree(data);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 8a764928ff4b..d877cd16a813 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1758,19 +1758,22 @@ int security_set_bools(int len, int *values)
1758 goto out; 1758 goto out;
1759 } 1759 }
1760 1760
1761 printk(KERN_INFO "security: committed booleans { ");
1762 for (i = 0; i < len; i++) { 1761 for (i = 0; i < len; i++) {
1762 if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
1763 audit_log(current->audit_context, GFP_ATOMIC,
1764 AUDIT_MAC_CONFIG_CHANGE,
1765 "bool=%s val=%d old_val=%d auid=%u",
1766 policydb.p_bool_val_to_name[i],
1767 !!values[i],
1768 policydb.bool_val_to_struct[i]->state,
1769 audit_get_loginuid(current->audit_context));
1770 }
1763 if (values[i]) { 1771 if (values[i]) {
1764 policydb.bool_val_to_struct[i]->state = 1; 1772 policydb.bool_val_to_struct[i]->state = 1;
1765 } else { 1773 } else {
1766 policydb.bool_val_to_struct[i]->state = 0; 1774 policydb.bool_val_to_struct[i]->state = 0;
1767 } 1775 }
1768 if (i != 0)
1769 printk(", ");
1770 printk("%s:%d", policydb.p_bool_val_to_name[i],
1771 policydb.bool_val_to_struct[i]->state);
1772 } 1776 }
1773 printk(" }\n");
1774 1777
1775 for (cur = policydb.cond_list; cur != NULL; cur = cur->next) { 1778 for (cur = policydb.cond_list; cur != NULL; cur = cur->next) {
1776 rc = evaluate_cond_node(&policydb, cur); 1779 rc = evaluate_cond_node(&policydb, cur);