[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: [Patch] SE Linux audit events



On Monday 05 December 2005 10:40, Stephen Smalley wrote:
> Note that selinux_disable() could fail (if policy has previously been
> loaded or SELinux was already disabled), so it seems like you want this
> audit_log call moved after the check.

Done

> Offhand, I'd suggest just dropping the printk statements from this function
> given your new audit_log call

Done

Attached is a patch that hardwires important SE Linux events to the audit 
system. Please Apply.

Signed-off-by: Steve Grubb <sgrubb redhat com>


diff -urp linux-2.6.14.orig/include/linux/audit.h linux-2.6.14/include/linux/audit.h
--- linux-2.6.14.orig/include/linux/audit.h     2005-12-06 12:45:15.000000000 -0500
+++ linux-2.6.14/include/linux/audit.h  2005-12-06 13:19:01.000000000 -0500
@@ -83,6 +83,9 @@
 #define AUDIT_AVC              1400    /* SE Linux avc denial or grant */
 #define AUDIT_SELINUX_ERR      1401    /* Internal SE Linux Errors */
 #define AUDIT_AVC_PATH         1402    /* dentry, vfsmount pair from avc */
+#define AUDIT_MAC_POLICY_LOAD  1403    /* Policy file load */
+#define AUDIT_MAC_STATUS       1404    /* Changed enforcing,permissive,off */
+#define AUDIT_MAC_CONFIG_CHANGE        1405    /* Changes to booleans */

 #define AUDIT_KERNEL           2000    /* Asynchronous audit record. NOT A REQUEST. */

diff -urp linux-2.6.14.orig/security/selinux/selinuxfs.c linux-2.6.14/security/selinux/selinuxfs.c
--- linux-2.6.14.orig/security/selinux/selinuxfs.c      2005-12-06 12:45:23.000000000 -0500
+++ linux-2.6.14/security/selinux/selinuxfs.c   2005-12-06 13:24:27.000000000 -0500
@@ -23,6 +23,7 @@
 #include <linux/percpu.h>
 #include <asm/uaccess.h>
 #include <asm/semaphore.h>
+#include <linux/audit.h>

 /* selinuxfs pseudo filesystem for exporting the security policy API.
    Based on the proc code and the fs/nfsd/nfsctl.c code. */
@@ -126,6 +127,10 @@ static ssize_t sel_write_enforce(struct
                length = task_has_security(current, SECURITY__SETENFORCE);
                if (length)
                        goto out;
+               audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
+                       "enforcing=%d old_enforcing=%d auid=%u", new_value,
+                       selinux_enforcing,
+                       audit_get_loginuid(current->audit_context));
                selinux_enforcing = new_value;
                if (selinux_enforcing)
                        avc_ss_reset(0);
@@ -176,6 +181,9 @@ static ssize_t sel_write_disable(struct
                length = selinux_disable();
                if (length < 0)
                        goto out;
+               audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
+                       "selinux=0 auid=%u",
+                       audit_get_loginuid(current->audit_context));
        }

        length = count;
@@ -261,6 +269,9 @@ static ssize_t sel_write_load(struct fil
                length = ret;
        else
                length = count;
+       audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
+               "policy loaded auid=%u",
+               audit_get_loginuid(current->audit_context));
 out:
        up(&sel_sem);
        vfree(data);
diff -urp linux-2.6.14.orig/security/selinux/ss/services.c linux-2.6.14/security/selinux/ss/services.c
--- linux-2.6.14.orig/security/selinux/ss/services.c    2005-12-06 12:45:23.000000000 -0500
+++ linux-2.6.14/security/selinux/ss/services.c 2005-12-06 13:26:45.000000000 -0500
@@ -1758,19 +1758,22 @@ int security_set_bools(int len, int *val
                goto out;
        }

-       printk(KERN_INFO "security: committed booleans { ");
        for (i = 0; i < len; i++) {
+               if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
+                       audit_log(current->audit_context, GFP_ATOMIC,
+                               AUDIT_MAC_CONFIG_CHANGE,
+                               "bool=%s val=%d old_val=%d auid=%u",
+                               policydb.p_bool_val_to_name[i],
+                               !!values[i],
+                               policydb.bool_val_to_struct[i]->state,
+                               audit_get_loginuid(current->audit_context));
+               }
                if (values[i]) {
                        policydb.bool_val_to_struct[i]->state = 1;
                } else {
                        policydb.bool_val_to_struct[i]->state = 0;
                }
-               if (i != 0)
-                       printk(", ");
-               printk("%s:%d", policydb.p_bool_val_to_name[i],
-                      policydb.bool_val_to_struct[i]->state);
        }
-       printk(" }\n");

        for (cur = policydb.cond_list; cur != NULL; cur = cur->next) {
                rc = evaluate_cond_node(&policydb, cur);


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]