rpms / systemd

Clone
Source Code
GIT

Blame SOURCES/0241-selinux-don-t-log-SELINUX_INFO-and-SELINUX_WARNING-m.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-atomic-beta c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c8s-sig-hyperscale c8s-sig-hyperscale-hotfix-252 c9 c9-beta c9s-sig-hyperscale c9s-sig-hyperscale-hotfix-252
  1.   c8s
  2.   SOURCES
  3.   0241-selinux-don-t-log-SELINUX_INFO-and-SELINUX_WARNING-m.patch
Blob History Raw
Brian Stinson 2593d8 
From cc3c020a5f4fc577dbd2da769c22b77e37ae4e30 Mon Sep 17 00:00:00 2001
Brian Stinson 2593d8 
From: Michal Sekletar <msekleta@redhat.com>
Brian Stinson 2593d8 
Date: Tue, 26 Feb 2019 17:33:27 +0100
Brian Stinson 2593d8 
Subject: [PATCH] selinux: don't log SELINUX_INFO and SELINUX_WARNING messages
Brian Stinson 2593d8 
 to audit
Brian Stinson 2593d8
Brian Stinson 2593d8 
Previously we logged even info message from libselinux as USER_AVC's to
Brian Stinson 2593d8 
audit. For example, setting SELinux to permissive mode generated
Brian Stinson 2593d8 
following audit message,
Brian Stinson 2593d8
Brian Stinson 2593d8 
time->Tue Feb 26 11:29:29 2019
Brian Stinson 2593d8 
type=USER_AVC msg=audit(1551198569.423:334): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Brian Stinson 2593d8
Brian Stinson 2593d8 
This is unnecessary and wrong at the same time. First, kernel already
Brian Stinson 2593d8 
records audit event that SELinux was switched to permissive mode, also
Brian Stinson 2593d8 
the type of the message really shouldn't be USER_AVC.
Brian Stinson 2593d8
Brian Stinson 2593d8 
Let's ignore SELINUX_WARNING and SELINUX_INFO and forward to audit only
Brian Stinson 2593d8 
USER_AVC's and errors as these two libselinux message types have clear
Brian Stinson 2593d8 
mapping to audit message types.
Brian Stinson 2593d8
Brian Stinson 2593d8 
(cherry picked from commit 6227fc14c48c4c17daed4b91f61cdd4aa375790a)
Brian Stinson 2593d8
Brian Stinson 2593d8 
Resolves: #1763612
Brian Stinson 2593d8 
---
Brian Stinson 2593d8 
 src/core/selinux-access.c | 6 +++++-
Brian Stinson 2593d8 
 1 file changed, 5 insertions(+), 1 deletion(-)
Brian Stinson 2593d8
Brian Stinson 2593d8 
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
Brian Stinson 2593d8 
index 39e994afd7..ada4f8705c 100644
Brian Stinson 2593d8 
--- a/src/core/selinux-access.c
Brian Stinson 2593d8 
+++ b/src/core/selinux-access.c
Brian Stinson 2593d8 
@@ -112,7 +112,11 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
Brian Stinson 2593d8 
                 va_end(ap);
Brian Stinson 2593d8
Brian Stinson 2593d8 
                 if (r >= 0) {
Brian Stinson 2593d8 
-                        audit_log_user_avc_message(fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
Brian Stinson 2593d8 
+                        if (type == SELINUX_AVC)
Brian Stinson 2593d8 
+                                audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
Brian Stinson 2593d8 
+                        else if (type == SELINUX_ERROR)
Brian Stinson 2593d8 
+                                audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_SELINUX_ERR, buf, NULL, NULL, NULL, 0);
Brian Stinson 2593d8 
+
Brian Stinson 2593d8 
                         return 0;
Brian Stinson 2593d8 
                 }
Brian Stinson 2593d8 
         }

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation