[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

[Patch] SE Linux audit events



On Tuesday 08 November 2005 10:32, Steve Grubb wrote:
> I think we need to add some SE Linux kernel message types for audit into
> the kernel and start patching the kernel to report these messages -
> including the information of previous value and new value.

Attached is a patch that hardwires important SE Linux events to the audit 
system. Please Apply.

Signed-off-by: Steve Grubb <sgrubb redhat com>

diff -urp linux-2.6.14.orig/include/linux/audit.h linux-2.6.14/include/linux/audit.h
--- linux-2.6.14.orig/include/linux/audit.h	2005-12-02 15:05:31.000000000 -0500
+++ linux-2.6.14/include/linux/audit.h	2005-12-02 15:06:27.000000000 -0500
@@ -83,6 +83,9 @@
 #define AUDIT_AVC		1400	/* SE Linux avc denial or grant */
 #define AUDIT_SELINUX_ERR	1401	/* Internal SE Linux Errors */
 #define AUDIT_AVC_PATH		1402	/* dentry, vfsmount pair from avc */
+#define AUDIT_MAC_POLICY_LOAD	1403	/* Policy file load */
+#define AUDIT_MAC_STATUS	1404	/* Changed enforcing,permissive,off */
+#define AUDIT_MAC_CONFIG_CHANGE	1405	/* Changes to booleans */
 
 #define AUDIT_KERNEL		2000	/* Asynchronous audit record. NOT A REQUEST. */
 
diff -urp linux-2.6.14.orig/security/selinux/selinuxfs.c linux-2.6.14/security/selinux/selinuxfs.c
--- linux-2.6.14.orig/security/selinux/selinuxfs.c	2005-12-02 15:05:39.000000000 -0500
+++ linux-2.6.14/security/selinux/selinuxfs.c	2005-12-02 15:06:27.000000000 -0500
@@ -23,6 +23,7 @@
 #include <linux/percpu.h>
 #include <asm/uaccess.h>
 #include <asm/semaphore.h>
+#include <linux/audit.h>
 
 /* selinuxfs pseudo filesystem for exporting the security policy API.
    Based on the proc code and the fs/nfsd/nfsctl.c code. */
@@ -126,6 +127,10 @@ static ssize_t sel_write_enforce(struct 
 		length = task_has_security(current, SECURITY__SETENFORCE);
 		if (length)
 			goto out;
+		audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
+			"enforcing=%d old_enforcing=%d auid=%u", new_value, 
+			selinux_enforcing,
+			audit_get_loginuid(current->audit_context));
 		selinux_enforcing = new_value;
 		if (selinux_enforcing)
 			avc_ss_reset(0);
@@ -174,6 +179,9 @@ static ssize_t sel_write_disable(struct 
 
 	if (new_value) {
 		length = selinux_disable();
+		audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
+			"selinux=0 auid=%u",
+			audit_get_loginuid(current->audit_context));
 		if (length < 0)
 			goto out;
 	}
@@ -261,6 +269,9 @@ static ssize_t sel_write_load(struct fil
 		length = ret;
 	else
 		length = count;
+	audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
+		"policy loaded auid=%u",
+		audit_get_loginuid(current->audit_context));
 out:
 	up(&sel_sem);
 	vfree(data);
diff -urp linux-2.6.14.orig/security/selinux/ss/services.c linux-2.6.14/security/selinux/ss/services.c
--- linux-2.6.14.orig/security/selinux/ss/services.c	2005-12-02 15:05:39.000000000 -0500
+++ linux-2.6.14/security/selinux/ss/services.c	2005-12-02 15:08:31.000000000 -0500
@@ -1760,6 +1760,15 @@ int security_set_bools(int len, int *val
 
 	printk(KERN_INFO "security: committed booleans { ");
 	for (i = 0; i < len; i++) {
+		if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
+			audit_log(current->audit_context, GFP_ATOMIC,
+				AUDIT_MAC_CONFIG_CHANGE,
+				"bool=%s val=%d old_val=%d auid=%u",
+				policydb.p_bool_val_to_name[i],
+				!!values[i],
+				policydb.bool_val_to_struct[i]->state,
+				audit_get_loginuid(current->audit_context));
+		}
 		if (values[i]) {
 			policydb.bool_val_to_struct[i]->state = 1;
 		} else {

[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]