selinux: Only audit permissions specified in policy

Only audit the permissions specified by the policy rules. Before: type=AVC msg=audit(01/28/2010 14:30:46.690:3250) : avc: denied { read append } for pid=14092 comm=foo name=test_file dev=dm-1 ino=132932 scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file After: type=AVC msg=audit(01/28/2010 14:52:37.448:26) : avc: denied { append } for pid=1917 comm=foo name=test_file dev=dm-1 ino=132932 scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file Reference: https://bugzilla.redhat.com/show_bug.cgi?id=558499 Reported-by: Tom London <selinux@gmail.com> Signed-off-by: Stephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
author: Stephen Smalley <sds@tycho.nsa.gov> 2010-02-02 11:31:51 -0500
committer: James Morris <jmorris@namei.org> 2010-02-02 16:49:10 -0500
commit: b6cac5a30b325e14cda425670bb3568d3cad0aa8 (patch)
tree: 276a3a2a985c862ac9439cb2f8facabb7d1f1944
parent: 8e2d39a1665e680c095545993aac2fcac6916eb9 (diff)
1 files changed, 7 insertions, 10 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 3ee9b6a8beb6..db0fd9f33499 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -489,17 +489,14 @@ void avc_audit(u32 ssid, u32 tsid,
        struct common_audit_data stack_data;
        u32 denied, audited;
        denied = requested & ~avd->allowed;
-        if (denied) {
+        if (denied)
-                audited = denied;
+                audited = denied & avd->auditdeny;
-                if (!(audited & avd->auditdeny))
+        else if (result)
-                        return;
-        } else if (result) {
                audited = denied = requested;
-        } else {
+        else
-                audited = requested;
+                audited = requested & avd->auditallow;
-                if (!(audited & avd->auditallow))
+        if (!audited)
-                        return;
+                return;
-        }
        if (!a) {
                a = &stack_data;
                memset(a, 0, sizeof(*a));
author	Stephen Smalley <sds@tycho.nsa.gov>	2010-02-02 11:31:51 -0500
committer	James Morris <jmorris@namei.org>	2010-02-02 16:49:10 -0500
commit	b6cac5a30b325e14cda425670bb3568d3cad0aa8 (patch)
tree	276a3a2a985c862ac9439cb2f8facabb7d1f1944
parent	8e2d39a1665e680c095545993aac2fcac6916eb9 (diff)

diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 3ee9b6a8beb6..db0fd9f33499 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c
@@ -489,17 +489,14 @@ void avc_audit(u32 ssid, u32 tsid,
489	struct common_audit_data stack_data;	489	struct common_audit_data stack_data;
490	u32 denied, audited;	490	u32 denied, audited;
491	denied = requested & ~avd->allowed;	491	denied = requested & ~avd->allowed;
492	if (denied) {	492	if (denied)
493	audited = denied;	493	audited = denied & avd->auditdeny;
494	if (!(audited & avd->auditdeny))	494	else if (result)
495	return;
496	} else if (result) {
497	audited = denied = requested;	495	audited = denied = requested;
498	} else {	496	else
499	audited = requested;	497	audited = requested & avd->auditallow;
500	if (!(audited & avd->auditallow))	498	if (!audited)
501	return;	499	return;
502	}
503	if (!a) {	500	if (!a) {
504	a = &stack_data;	501	a = &stack_data;
505	memset(a, 0, sizeof(*a));	502	memset(a, 0, sizeof(*a));