[PATCH] SE Linux audit events

author Steve Grubb <sgrubb@redhat.com>

Wed, 4 Jan 2006 14:08:39 +0000 (14:08 +0000)

committer Al Viro <viro@zeniv.linux.org.uk>

Mon, 20 Mar 2006 19:08:54 +0000 (14:08 -0500)
author Steve Grubb <sgrubb@redhat.com>
Wed, 4 Jan 2006 14:08:39 +0000 (14:08 +0000)
committer Al Viro <viro@zeniv.linux.org.uk>
Mon, 20 Mar 2006 19:08:54 +0000 (14:08 -0500)
diff --git a/include/linux/audit.h b/include/linux/audit.h

index fbc21d6..8868c96 100644 (file)
--- a/include/linux/audit.h
+++ b/include/linux/audit.h
@@ -83,6 +83,9 @@
  #define AUDIT_AVC              1400    /* SE Linux avc denial or grant */
  #define AUDIT_SELINUX_ERR      1401    /* Internal SE Linux Errors */
  #define AUDIT_AVC_PATH         1402    /* dentry, vfsmount pair from avc */
+#define AUDIT_MAC_POLICY_LOAD  1403    /* Policy file load */
+#define AUDIT_MAC_STATUS       1404    /* Changed enforcing,permissive,off */
+#define AUDIT_MAC_CONFIG_CHANGE        1405    /* Changes to booleans */
  
  #define AUDIT_KERNEL           2000    /* Asynchronous audit record. NOT A REQUEST. */
  
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c

index b5fa02d..5eba666 100644 (file)
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -21,6 +21,7 @@
  #include <linux/major.h>
  #include <linux/seq_file.h>
  #include <linux/percpu.h>
+#include <linux/audit.h>
  #include <asm/uaccess.h>
  #include <asm/semaphore.h>
  
@@ -126,6 +127,10 @@ static ssize_t sel_write_enforce(struct file * file, const char __user * buf,
                 length = task_has_security(current, SECURITY__SETENFORCE);
                 if (length)
                         goto out;
+               audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
+                       "enforcing=%d old_enforcing=%d auid=%u", new_value, 
+                       selinux_enforcing,
+                       audit_get_loginuid(current->audit_context));
                 selinux_enforcing = new_value;
                 if (selinux_enforcing)
                         avc_ss_reset(0);
@@ -176,6 +181,9 @@ static ssize_t sel_write_disable(struct file * file, const char __user * buf,
                 length = selinux_disable();
                 if (length < 0)
                         goto out;
+               audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
+                       "selinux=0 auid=%u",
+                       audit_get_loginuid(current->audit_context));
         }
  
         length = count;
@@ -261,6 +269,9 @@ static ssize_t sel_write_load(struct file * file, const char __user * buf,
                 length = ret;
         else
                 length = count;
+       audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
+               "policy loaded auid=%u",
+               audit_get_loginuid(current->audit_context));
  out:
         up(&sel_sem);
         vfree(data);
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c

index 8a76492..d877cd1 100644 (file)
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1758,19 +1758,22 @@ int security_set_bools(int len, int *values)
                 goto out;
         }
  
-       printk(KERN_INFO "security: committed booleans { ");
         for (i = 0; i < len; i++) {
+               if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
+                       audit_log(current->audit_context, GFP_ATOMIC,
+                               AUDIT_MAC_CONFIG_CHANGE,
+                               "bool=%s val=%d old_val=%d auid=%u",
+                               policydb.p_bool_val_to_name[i],
+                               !!values[i],
+                               policydb.bool_val_to_struct[i]->state,
+                               audit_get_loginuid(current->audit_context));
+               }
                 if (values[i]) {
                         policydb.bool_val_to_struct[i]->state = 1;
                 } else {
                         policydb.bool_val_to_struct[i]->state = 0;
                 }
-               if (i != 0)
-                       printk(", ");
-               printk("%s:%d", policydb.p_bool_val_to_name[i],
-                      policydb.bool_val_to_struct[i]->state);
         }
-       printk(" }\n");
  
         for (cur = policydb.cond_list; cur != NULL; cur = cur->next) {
                 rc = evaluate_cond_node(&policydb, cur);
author	Steve Grubb <sgrubb@redhat.com>
	Wed, 4 Jan 2006 14:08:39 +0000 (14:08 +0000)
committer	Al Viro <viro@zeniv.linux.org.uk>
	Mon, 20 Mar 2006 19:08:54 +0000 (14:08 -0500)
include/linux/audit.h		patch \| blob \| history
security/selinux/selinuxfs.c		patch \| blob \| history
security/selinux/ss/services.c		patch \| blob \| history