summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorSteve Grubb <sgrubb@redhat.com>2006-01-04 14:08:39 +0000
committerAl Viro <viro@zeniv.linux.org.uk>2006-03-20 14:08:54 -0500
commitaf601e4623d0303bfafa54ec728b7ae8493a8e1b (patch)
tree5f79d5ae42eeccfc1ffaf8e82a1999e4d3af793e
parentd884596f44ef5a0bcd8a66405dc04902aeaa6fc7 (diff)
downloadkernel-crypto-af601e4623d0303bfafa54ec728b7ae8493a8e1b.tar.gz
kernel-crypto-af601e4623d0303bfafa54ec728b7ae8493a8e1b.tar.xz
kernel-crypto-af601e4623d0303bfafa54ec728b7ae8493a8e1b.zip
[PATCH] SE Linux audit events
Attached is a patch that hardwires important SE Linux events to the audit system. Please Apply. Signed-off-by: Steve Grubb <sgrubb@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: David Woodhouse <dwmw2@infradead.org>
-rw-r--r--include/linux/audit.h3
-rw-r--r--security/selinux/selinuxfs.c11
-rw-r--r--security/selinux/ss/services.c15
3 files changed, 23 insertions, 6 deletions
diff --git a/include/linux/audit.h b/include/linux/audit.h
index fbc21d6267f..8868c96ca8a 100644
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -83,6 +83,9 @@
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
#define AUDIT_AVC_PATH 1402 /* dentry, vfsmount pair from avc */
+#define AUDIT_MAC_POLICY_LOAD 1403 /* Policy file load */
+#define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */
+#define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */
#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index b5fa02d17b1..5eba6664eac 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -21,6 +21,7 @@
#include <linux/major.h>
#include <linux/seq_file.h>
#include <linux/percpu.h>
+#include <linux/audit.h>
#include <asm/uaccess.h>
#include <asm/semaphore.h>
@@ -126,6 +127,10 @@ static ssize_t sel_write_enforce(struct file * file, const char __user * buf,
length = task_has_security(current, SECURITY__SETENFORCE);
if (length)
goto out;
+ audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
+ "enforcing=%d old_enforcing=%d auid=%u", new_value,
+ selinux_enforcing,
+ audit_get_loginuid(current->audit_context));
selinux_enforcing = new_value;
if (selinux_enforcing)
avc_ss_reset(0);
@@ -176,6 +181,9 @@ static ssize_t sel_write_disable(struct file * file, const char __user * buf,
length = selinux_disable();
if (length < 0)
goto out;
+ audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
+ "selinux=0 auid=%u",
+ audit_get_loginuid(current->audit_context));
}
length = count;
@@ -261,6 +269,9 @@ static ssize_t sel_write_load(struct file * file, const char __user * buf,
length = ret;
else
length = count;
+ audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
+ "policy loaded auid=%u",
+ audit_get_loginuid(current->audit_context));
out:
up(&sel_sem);
vfree(data);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 8a764928ff4..d877cd16a81 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1758,19 +1758,22 @@ int security_set_bools(int len, int *values)
goto out;
}
- printk(KERN_INFO "security: committed booleans { ");
for (i = 0; i < len; i++) {
+ if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
+ audit_log(current->audit_context, GFP_ATOMIC,
+ AUDIT_MAC_CONFIG_CHANGE,
+ "bool=%s val=%d old_val=%d auid=%u",
+ policydb.p_bool_val_to_name[i],
+ !!values[i],
+ policydb.bool_val_to_struct[i]->state,
+ audit_get_loginuid(current->audit_context));
+ }
if (values[i]) {
policydb.bool_val_to_struct[i]->state = 1;
} else {
policydb.bool_val_to_struct[i]->state = 0;
}
- if (i != 0)
- printk(", ");
- printk("%s:%d", policydb.p_bool_val_to_name[i],
- policydb.bool_val_to_struct[i]->state);
}
- printk(" }\n");
for (cur = policydb.cond_list; cur != NULL; cur = cur->next) {
rc = evaluate_cond_node(&policydb, cur);