|
 |
ea9a62 |
From 96888e99c5103d9dea5230c917b946732de2d302 Mon Sep 17 00:00:00 2001
|
|
|
ea9a62 |
From: Panu Matilainen <pmatilai@redhat.com>
|
|
|
ea9a62 |
Date: Thu, 22 Sep 2022 11:54:47 +0300
|
|
|
ea9a62 |
Subject: [PATCH] Add a handler for libselinux log messages (RhBug:2123719,
|
|
|
ea9a62 |
RhBug:2050774)
|
|
|
ea9a62 |
|
|
|
ea9a62 |
libselinux logs to stderr by default, which up to now has been just fine
|
|
|
ea9a62 |
with us. However somewhere around libselinux 3.2 it begun issuing
|
|
|
ea9a62 |
log messages for events discovered in selinux_status_updated().
|
|
|
ea9a62 |
We only call that to see whether the status *was* updated behind our
|
|
|
ea9a62 |
back and are not interested in these audit-style messages for our
|
|
|
ea9a62 |
functionality, but to suppress them while preserving actually relevant
|
|
|
ea9a62 |
errors and warnings, we need to have a log callback of our own. Might as
|
|
|
ea9a62 |
well forward them to rpmlog then.
|
|
|
ea9a62 |
|
|
|
ea9a62 |
SELINUX_ERROR and SELINUX_WARNING are pretty obvious, of SELINUX_AVC
|
|
|
ea9a62 |
selinux_set_callback(3) says it should be treated as SELINUX_ERROR if
|
|
|
ea9a62 |
not audited. The rest we suppress to debug messages, they may be handy
|
|
|
ea9a62 |
for diagnostics some day.
|
|
|
ea9a62 |
|
|
|
ea9a62 |
Note that this intentionally avoids explicit SELINUX_POLICYLOAD and
|
|
|
ea9a62 |
SELINUX_SETENFORCE cases in the switch: we don't want to introduce
|
|
|
ea9a62 |
libselinux >= 3.2 dependency just because of this silly thing.
|
|
|
ea9a62 |
---
|
|
|
ea9a62 |
plugins/selinux.c | 30 ++++++++++++++++++++++++++++++
|
|
|
ea9a62 |
1 file changed, 30 insertions(+)
|
|
|
ea9a62 |
|
|
|
ea9a62 |
diff --git a/plugins/selinux.c b/plugins/selinux.c
|
|
|
ea9a62 |
index 747f62d05..0f10331f0 100644
|
|
|
ea9a62 |
--- a/plugins/selinux.c
|
|
|
ea9a62 |
+++ b/plugins/selinux.c
|
|
|
ea9a62 |
@@ -18,6 +18,35 @@ static inline rpmlogLvl loglvl(int iserror)
|
|
|
ea9a62 |
return iserror ? RPMLOG_ERR : RPMLOG_DEBUG;
|
|
|
ea9a62 |
}
|
|
|
ea9a62 |
|
|
|
ea9a62 |
+static int logcb(int type, const char *fmt, ...)
|
|
|
ea9a62 |
+{
|
|
|
ea9a62 |
+ char *buf = NULL;
|
|
|
ea9a62 |
+ va_list ap;
|
|
|
ea9a62 |
+ int lvl;
|
|
|
ea9a62 |
+
|
|
|
ea9a62 |
+ switch (type) {
|
|
|
ea9a62 |
+ case SELINUX_ERROR:
|
|
|
ea9a62 |
+ case SELINUX_AVC:
|
|
|
ea9a62 |
+ lvl = RPMLOG_ERR;
|
|
|
ea9a62 |
+ break;
|
|
|
ea9a62 |
+ case SELINUX_WARNING:
|
|
|
ea9a62 |
+ lvl = RPMLOG_WARNING;
|
|
|
ea9a62 |
+ break;
|
|
|
ea9a62 |
+ default:
|
|
|
ea9a62 |
+ lvl = RPMLOG_DEBUG;
|
|
|
ea9a62 |
+ break;
|
|
|
ea9a62 |
+ }
|
|
|
ea9a62 |
+
|
|
|
ea9a62 |
+ va_start(ap, fmt);
|
|
|
ea9a62 |
+ rvasprintf(&buf, fmt, ap);
|
|
|
ea9a62 |
+ va_end(ap);
|
|
|
ea9a62 |
+
|
|
|
ea9a62 |
+ rpmlog(lvl, "libselinux: type %d: %s", type, buf);
|
|
|
ea9a62 |
+ free(buf);
|
|
|
ea9a62 |
+
|
|
|
ea9a62 |
+ return 0;
|
|
|
ea9a62 |
+}
|
|
|
ea9a62 |
+
|
|
|
ea9a62 |
static void sehandle_fini(int close_status)
|
|
|
ea9a62 |
{
|
|
|
ea9a62 |
if (sehandle) {
|
|
|
ea9a62 |
@@ -44,6 +73,7 @@ static rpmRC sehandle_init(int open_status)
|
|
|
ea9a62 |
if (selinux_status_open(0) < 0) {
|
|
|
ea9a62 |
return RPMRC_FAIL;
|
|
|
ea9a62 |
}
|
|
|
ea9a62 |
+ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &logcb);
|
|
|
ea9a62 |
} else if (!selinux_status_updated() && sehandle) {
|
|
|
ea9a62 |
return RPMRC_OK;
|
|
|
ea9a62 |
}
|
|
|
ea9a62 |
--
|
|
|
ea9a62 |
2.38.1
|
|
|
ea9a62 |
|