diff options
| author | Steve Grubb <sgrubb@redhat.com> | 2006-01-04 09:08:39 -0500 |
|---|---|---|
| committer | Al Viro <viro@zeniv.linux.org.uk> | 2006-03-20 14:08:54 -0500 |
| commit | af601e4623d0303bfafa54ec728b7ae8493a8e1b (patch) | |
| tree | 5f79d5ae42eeccfc1ffaf8e82a1999e4d3af793e /security | |
| parent | d884596f44ef5a0bcd8a66405dc04902aeaa6fc7 (diff) | |
[PATCH] SE Linux audit events
Attached is a patch that hardwires important SE Linux events to the audit
system. Please Apply.
Signed-off-by: Steve Grubb <sgrubb@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: David Woodhouse <dwmw2@infradead.org>
Diffstat (limited to 'security')
| -rw-r--r-- | security/selinux/selinuxfs.c | 11 | ||||
| -rw-r--r-- | security/selinux/ss/services.c | 15 |
2 files changed, 20 insertions, 6 deletions
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index b5fa02d17b1e..5eba6664eac0 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
| @@ -21,6 +21,7 @@ | |||
| 21 | #include <linux/major.h> | 21 | #include <linux/major.h> |
| 22 | #include <linux/seq_file.h> | 22 | #include <linux/seq_file.h> |
| 23 | #include <linux/percpu.h> | 23 | #include <linux/percpu.h> |
| 24 | #include <linux/audit.h> | ||
| 24 | #include <asm/uaccess.h> | 25 | #include <asm/uaccess.h> |
| 25 | #include <asm/semaphore.h> | 26 | #include <asm/semaphore.h> |
| 26 | 27 | ||
| @@ -126,6 +127,10 @@ static ssize_t sel_write_enforce(struct file * file, const char __user * buf, | |||
| 126 | length = task_has_security(current, SECURITY__SETENFORCE); | 127 | length = task_has_security(current, SECURITY__SETENFORCE); |
| 127 | if (length) | 128 | if (length) |
| 128 | goto out; | 129 | goto out; |
| 130 | audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS, | ||
| 131 | "enforcing=%d old_enforcing=%d auid=%u", new_value, | ||
| 132 | selinux_enforcing, | ||
| 133 | audit_get_loginuid(current->audit_context)); | ||
| 129 | selinux_enforcing = new_value; | 134 | selinux_enforcing = new_value; |
| 130 | if (selinux_enforcing) | 135 | if (selinux_enforcing) |
| 131 | avc_ss_reset(0); | 136 | avc_ss_reset(0); |
| @@ -176,6 +181,9 @@ static ssize_t sel_write_disable(struct file * file, const char __user * buf, | |||
| 176 | length = selinux_disable(); | 181 | length = selinux_disable(); |
| 177 | if (length < 0) | 182 | if (length < 0) |
| 178 | goto out; | 183 | goto out; |
| 184 | audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS, | ||
| 185 | "selinux=0 auid=%u", | ||
| 186 | audit_get_loginuid(current->audit_context)); | ||
| 179 | } | 187 | } |
| 180 | 188 | ||
| 181 | length = count; | 189 | length = count; |
| @@ -261,6 +269,9 @@ static ssize_t sel_write_load(struct file * file, const char __user * buf, | |||
| 261 | length = ret; | 269 | length = ret; |
| 262 | else | 270 | else |
| 263 | length = count; | 271 | length = count; |
| 272 | audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD, | ||
| 273 | "policy loaded auid=%u", | ||
| 274 | audit_get_loginuid(current->audit_context)); | ||
| 264 | out: | 275 | out: |
| 265 | up(&sel_sem); | 276 | up(&sel_sem); |
| 266 | vfree(data); | 277 | vfree(data); |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 8a764928ff4b..d877cd16a813 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
| @@ -1758,19 +1758,22 @@ int security_set_bools(int len, int *values) | |||
| 1758 | goto out; | 1758 | goto out; |
| 1759 | } | 1759 | } |
| 1760 | 1760 | ||
| 1761 | printk(KERN_INFO "security: committed booleans { "); | ||
| 1762 | for (i = 0; i < len; i++) { | 1761 | for (i = 0; i < len; i++) { |
| 1762 | if (!!values[i] != policydb.bool_val_to_struct[i]->state) { | ||
| 1763 | audit_log(current->audit_context, GFP_ATOMIC, | ||
| 1764 | AUDIT_MAC_CONFIG_CHANGE, | ||
| 1765 | "bool=%s val=%d old_val=%d auid=%u", | ||
| 1766 | policydb.p_bool_val_to_name[i], | ||
| 1767 | !!values[i], | ||
| 1768 | policydb.bool_val_to_struct[i]->state, | ||
| 1769 | audit_get_loginuid(current->audit_context)); | ||
| 1770 | } | ||
| 1763 | if (values[i]) { | 1771 | if (values[i]) { |
| 1764 | policydb.bool_val_to_struct[i]->state = 1; | 1772 | policydb.bool_val_to_struct[i]->state = 1; |
| 1765 | } else { | 1773 | } else { |
| 1766 | policydb.bool_val_to_struct[i]->state = 0; | 1774 | policydb.bool_val_to_struct[i]->state = 0; |
| 1767 | } | 1775 | } |
| 1768 | if (i != 0) | ||
| 1769 | printk(", "); | ||
| 1770 | printk("%s:%d", policydb.p_bool_val_to_name[i], | ||
| 1771 | policydb.bool_val_to_struct[i]->state); | ||
| 1772 | } | 1776 | } |
| 1773 | printk(" }\n"); | ||
| 1774 | 1777 | ||
| 1775 | for (cur = policydb.cond_list; cur != NULL; cur = cur->next) { | 1778 | for (cur = policydb.cond_list; cur != NULL; cur = cur->next) { |
| 1776 | rc = evaluate_cond_node(&policydb, cur); | 1779 | rc = evaluate_cond_node(&policydb, cur); |