ryantimwilson / rpms / systemd

Forked from rpms/systemd 2 months ago
Clone
c62b8e
From cfc1fde83d46d86d06ca2e76986cb4cf2607b188 Mon Sep 17 00:00:00 2001
c62b8e
From: Michal Sekletar <msekleta@redhat.com>
c62b8e
Date: Tue, 26 Feb 2019 17:33:27 +0100
c62b8e
Subject: [PATCH] selinux: don't log SELINUX_INFO and SELINUX_WARNING messages
c62b8e
 to audit
c62b8e
c62b8e
Previously we logged even info message from libselinux as USER_AVC's to
c62b8e
audit. For example, setting SELinux to permissive mode generated
c62b8e
following audit message,
c62b8e
c62b8e
time->Tue Feb 26 11:29:29 2019
c62b8e
type=USER_AVC msg=audit(1551198569.423:334): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
c62b8e
c62b8e
This is unnecessary and wrong at the same time. First, kernel already
c62b8e
records audit event that SELinux was switched to permissive mode, also
c62b8e
the type of the message really shouldn't be USER_AVC.
c62b8e
c62b8e
Let's ignore SELINUX_WARNING and SELINUX_INFO and forward to audit only
c62b8e
USER_AVC's and errors as these two libselinux message types have clear
c62b8e
mapping to audit message types.
c62b8e
c62b8e
(cherry picked from commit 6227fc14c48c4c17daed4b91f61cdd4aa375790a)
c62b8e
c62b8e
Resolves: #1240730
c62b8e
---
c62b8e
 src/core/selinux-access.c | 6 +++++-
c62b8e
 1 file changed, 5 insertions(+), 1 deletion(-)
c62b8e
c62b8e
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
c62b8e
index 6cc0a49b92..8edfc86009 100644
c62b8e
--- a/src/core/selinux-access.c
c62b8e
+++ b/src/core/selinux-access.c
c62b8e
@@ -104,7 +104,11 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
c62b8e
                 va_end(ap);
c62b8e
 
c62b8e
                 if (r >= 0) {
c62b8e
-                        audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
c62b8e
+                        if (type == SELINUX_AVC)
c62b8e
+                                audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
c62b8e
+                        else if (type == SELINUX_ERROR)
c62b8e
+                                audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_SELINUX_ERR, buf, NULL, NULL, NULL, 0);
c62b8e
+
c62b8e
                         return 0;
c62b8e
                 }
c62b8e
         }