Commit af601e46 authored by Steve Grubb's avatar Steve Grubb Committed by Al Viro

[PATCH] SE Linux audit events

Attached is a patch that hardwires important SE Linux events to the audit
system. Please Apply.
Signed-off-by: default avatarSteve Grubb <sgrubb@redhat.com>
Acked-by: default avatarStephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: default avatarDavid Woodhouse <dwmw2@infradead.org>
parent d884596f
...@@ -83,6 +83,9 @@ ...@@ -83,6 +83,9 @@
#define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */
#define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */
#define AUDIT_AVC_PATH 1402 /* dentry, vfsmount pair from avc */ #define AUDIT_AVC_PATH 1402 /* dentry, vfsmount pair from avc */
#define AUDIT_MAC_POLICY_LOAD 1403 /* Policy file load */
#define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */
#define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */
#define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */
......
...@@ -21,6 +21,7 @@ ...@@ -21,6 +21,7 @@
#include <linux/major.h> #include <linux/major.h>
#include <linux/seq_file.h> #include <linux/seq_file.h>
#include <linux/percpu.h> #include <linux/percpu.h>
#include <linux/audit.h>
#include <asm/uaccess.h> #include <asm/uaccess.h>
#include <asm/semaphore.h> #include <asm/semaphore.h>
...@@ -126,6 +127,10 @@ static ssize_t sel_write_enforce(struct file * file, const char __user * buf, ...@@ -126,6 +127,10 @@ static ssize_t sel_write_enforce(struct file * file, const char __user * buf,
length = task_has_security(current, SECURITY__SETENFORCE); length = task_has_security(current, SECURITY__SETENFORCE);
if (length) if (length)
goto out; goto out;
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
"enforcing=%d old_enforcing=%d auid=%u", new_value,
selinux_enforcing,
audit_get_loginuid(current->audit_context));
selinux_enforcing = new_value; selinux_enforcing = new_value;
if (selinux_enforcing) if (selinux_enforcing)
avc_ss_reset(0); avc_ss_reset(0);
...@@ -176,6 +181,9 @@ static ssize_t sel_write_disable(struct file * file, const char __user * buf, ...@@ -176,6 +181,9 @@ static ssize_t sel_write_disable(struct file * file, const char __user * buf,
length = selinux_disable(); length = selinux_disable();
if (length < 0) if (length < 0)
goto out; goto out;
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
"selinux=0 auid=%u",
audit_get_loginuid(current->audit_context));
} }
length = count; length = count;
...@@ -261,6 +269,9 @@ static ssize_t sel_write_load(struct file * file, const char __user * buf, ...@@ -261,6 +269,9 @@ static ssize_t sel_write_load(struct file * file, const char __user * buf,
length = ret; length = ret;
else else
length = count; length = count;
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
"policy loaded auid=%u",
audit_get_loginuid(current->audit_context));
out: out:
up(&sel_sem); up(&sel_sem);
vfree(data); vfree(data);
......
...@@ -1758,19 +1758,22 @@ int security_set_bools(int len, int *values) ...@@ -1758,19 +1758,22 @@ int security_set_bools(int len, int *values)
goto out; goto out;
} }
printk(KERN_INFO "security: committed booleans { ");
for (i = 0; i < len; i++) { for (i = 0; i < len; i++) {
if (!!values[i] != policydb.bool_val_to_struct[i]->state) {
audit_log(current->audit_context, GFP_ATOMIC,
AUDIT_MAC_CONFIG_CHANGE,
"bool=%s val=%d old_val=%d auid=%u",
policydb.p_bool_val_to_name[i],
!!values[i],
policydb.bool_val_to_struct[i]->state,
audit_get_loginuid(current->audit_context));
}
if (values[i]) { if (values[i]) {
policydb.bool_val_to_struct[i]->state = 1; policydb.bool_val_to_struct[i]->state = 1;
} else { } else {
policydb.bool_val_to_struct[i]->state = 0; policydb.bool_val_to_struct[i]->state = 0;
} }
if (i != 0)
printk(", ");
printk("%s:%d", policydb.p_bool_val_to_name[i],
policydb.bool_val_to_struct[i]->state);
} }
printk(" }\n");
for (cur = policydb.cond_list; cur != NULL; cur = cur->next) { for (cur = policydb.cond_list; cur != NULL; cur = cur->next) {
rc = evaluate_cond_node(&policydb, cur); rc = evaluate_cond_node(&policydb, cur);
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment