[Patch] SE Linux audit events
Steve Grubb
sgrubb at redhat.com
Tue Dec 6 19:53:03 UTC 2005
On Monday 05 December 2005 10:40, Stephen Smalley wrote:
> Note that selinux_disable() could fail (if policy has previously been
> loaded or SELinux was already disabled), so it seems like you want this
> audit_log call moved after the check.
Done
> Offhand, I'd suggest just dropping the printk statements from this function
> given your new audit_log call
Done
Attached is a patch that hardwires important SE Linux events to the audit
system. Please Apply.
Signed-off-by: Steve Grubb <sgrubb at redhat.com>
diff -urp linux-2.6.14.orig/include/linux/audit.h linux-2.6.14/include/linux/audit.h
--- linux-2.6.14.orig/include/linux/audit.h 2005-12-06 12:45:15.000000000 -0500
+++ linux-2.6.14/include/linux/audit.h 2005-12-06 13:19:01.000000000 -0500
@@ -83,6 +83,9 @@
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
#define AUDIT_AVC_PATH 1402 /* dentry, vfsmount pair from avc */
+#define AUDIT_MAC_POLICY_LOAD 1403 /* Policy file load */
+#define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */
+#define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */
#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
diff -urp linux-2.6.14.orig/security/selinux/selinuxfs.c linux-2.6.14/security/selinux/selinuxfs.c
--- linux-2.6.14.orig/security/selinux/selinuxfs.c 2005-12-06 12:45:23.000000000 -0500
+++ linux-2.6.14/security/selinux/selinuxfs.c 2005-12-06 13:24:27.000000000 -0500
@@ -23,6 +23,7 @@
#include <linux/percpu.h>
#include <asm/uaccess.h>
#include <asm/semaphore.h>
+#include <linux/audit.h>
/* selinuxfs pseudo filesystem for exporting the security policy API.
Based on the proc code and the fs/nfsd/nfsctl.c code. */
@@ -126,6 +127,10 @@ static ssize_t sel_write_enforce(struct
length = task_has_security(current, SECURITY__SETENFORCE);
if (length)
goto out;
+ audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
+ "enforcing=%d old_enforcing=%d auid=%u", new_value,
+ selinux_enforcing,
+ audit_get_loginuid(current->audit_context));
selinux_enforcing = new_value;
if (selinux_enforcing)
avc_ss_reset(0);
@@ -176,6 +181,9 @@ static ssize_t sel_write_disable(struct
length = selinux_disable();
if (length < 0)
goto out;
+ audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
+ "selinux=0 auid=%u",
+ audit_get_loginuid(current->audit_context));
}
length = count;
@@ -261,6 +269,9 @@ static ssize_t sel_write_load(struct fil
length = ret;
else
length = count;
+ audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
+ "policy loaded auid=%u",
+ audit_get_loginuid(current->audit_context));
out:
up(&sel_sem);
vfree(data);
diff -urp linux-2.6.14.orig/security/selinux/ss/services.c linux-2.6.14/security/selinux/ss/services.c
--- linux-2.6.14.orig/security/selinux/ss/services.c 2005-12-06 12:45:23.000000000 -0500
+++ linux-2.6.14/security/selinux/ss/services.c 2005-12-06 13:26:45.000000000 -0500
@@ -1758,19 +1758,22 @@ int security_set_bools(int len, int *val
goto out;
}
- printk(KERN_INFO "security: committed booleans { ");
for (i = 0; i < len; i++) {
+ if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
+ audit_log(current->audit_context, GFP_ATOMIC,
+ AUDIT_MAC_CONFIG_CHANGE,
+ "bool=%s val=%d old_val=%d auid=%u",
+ policydb.p_bool_val_to_name[i],
+ !!values[i],
+ policydb.bool_val_to_struct[i]->state,
+ audit_get_loginuid(current->audit_context));
+ }
if (values[i]) {
policydb.bool_val_to_struct[i]->state = 1;
} else {
policydb.bool_val_to_struct[i]->state = 0;
}
- if (i != 0)
- printk(", ");
- printk("%s:%d", policydb.p_bool_val_to_name[i],
- policydb.bool_val_to_struct[i]->state);
}
- printk(" }\n");
for (cur = policydb.cond_list; cur != NULL; cur = cur->next) {
rc = evaluate_cond_node(&policydb, cur);
More information about the Linux-audit
mailing list