diff -up sudo-1.8.6p3/src/selinux.c.auditrolechange sudo-1.8.6p3/src/selinux.c
--- sudo-1.8.6p3/src/selinux.c.auditrolechange 2012-09-25 16:29:58.090826474 +0200
+++ sudo-1.8.6p3/src/selinux.c 2012-09-25 16:33:53.953084178 +0200
@@ -63,7 +63,7 @@ static struct selinux_state {
#ifdef HAVE_LINUX_AUDIT
static int
audit_role_change(const security_context_t old_context,
- const security_context_t new_context, const char *ttyn)
+ const security_context_t new_context, const char *ttyn, int result)
{
int au_fd, rc = -1;
char *message;
@@ -80,7 +80,7 @@ audit_role_change(const security_context
easprintf(&message, "newrole: old-context=%s new-context=%s",
old_context, new_context);
rc = audit_log_user_message(au_fd, AUDIT_USER_ROLE_CHANGE,
- message, NULL, NULL, ttyn, 1);
+ message, NULL, NULL, ttyn, result);
if (rc <= 0)
warning(_("unable to send audit message"));
efree(message);
@@ -335,8 +335,13 @@ selinux_setup(const char *role, const ch
warningx("your old context was %s", se_state.old_context);
#endif
se_state.new_context = get_exec_context(se_state.old_context, role, type);
- if (!se_state.new_context)
+ if (!se_state.new_context) {
+#ifdef HAVE_LINUX_AUDIT
+ audit_role_change(se_state.old_context, "?",
+ se_state.ttyn, 0);
+#endif
goto done;
+ }
if (relabel_tty(ttyn, ptyfd) < 0) {
warning(_("unable to setup tty context for %s"), se_state.new_context);
@@ -352,7 +357,7 @@ selinux_setup(const char *role, const ch
#ifdef HAVE_LINUX_AUDIT
audit_role_change(se_state.old_context, se_state.new_context,
- se_state.ttyn);
+ se_state.ttyn, 1);
#endif
rval = 0;