rpms / systemd

Clone
Source Code
GIT

Blame SOURCES/0744-selinux-don-t-log-SELINUX_INFO-and-SELINUX_WARNING-m.patch

c4 c5 c5-plus c6 c6-plus c7 c7-alt c7-atomic c7-atomic-beta c7-beta c7-sig-altarch-fasttrack c8 c8-beta c8s c8s-sig-hyperscale c8s-sig-hyperscale-hotfix-252 c9 c9-beta c9s-sig-hyperscale c9s-sig-hyperscale-hotfix-252
  1.   48fc634e1ab67241b15a48d1adeb5eee4e29b109
  2.   SOURCES
  3.   0744-selinux-don-t-log-SELINUX_INFO-and-SELINUX_WARNING-m.patch
Blob History Raw
Pablo Greco 48fc63 
From cfc1fde83d46d86d06ca2e76986cb4cf2607b188 Mon Sep 17 00:00:00 2001
Pablo Greco 48fc63 
From: Michal Sekletar <msekleta@redhat.com>
Pablo Greco 48fc63 
Date: Tue, 26 Feb 2019 17:33:27 +0100
Pablo Greco 48fc63 
Subject: [PATCH] selinux: don't log SELINUX_INFO and SELINUX_WARNING messages
Pablo Greco 48fc63 
 to audit
Pablo Greco 48fc63
Pablo Greco 48fc63 
Previously we logged even info message from libselinux as USER_AVC's to
Pablo Greco 48fc63 
audit. For example, setting SELinux to permissive mode generated
Pablo Greco 48fc63 
following audit message,
Pablo Greco 48fc63
Pablo Greco 48fc63 
time->Tue Feb 26 11:29:29 2019
Pablo Greco 48fc63 
type=USER_AVC msg=audit(1551198569.423:334): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
Pablo Greco 48fc63
Pablo Greco 48fc63 
This is unnecessary and wrong at the same time. First, kernel already
Pablo Greco 48fc63 
records audit event that SELinux was switched to permissive mode, also
Pablo Greco 48fc63 
the type of the message really shouldn't be USER_AVC.
Pablo Greco 48fc63
Pablo Greco 48fc63 
Let's ignore SELINUX_WARNING and SELINUX_INFO and forward to audit only
Pablo Greco 48fc63 
USER_AVC's and errors as these two libselinux message types have clear
Pablo Greco 48fc63 
mapping to audit message types.
Pablo Greco 48fc63
Pablo Greco 48fc63 
(cherry picked from commit 6227fc14c48c4c17daed4b91f61cdd4aa375790a)
Pablo Greco 48fc63
Pablo Greco 48fc63 
Resolves: #1240730
Pablo Greco 48fc63 
---
Pablo Greco 48fc63 
 src/core/selinux-access.c | 6 +++++-
Pablo Greco 48fc63 
 1 file changed, 5 insertions(+), 1 deletion(-)
Pablo Greco 48fc63
Pablo Greco 48fc63 
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
Pablo Greco 48fc63 
index 6cc0a49b92..8edfc86009 100644
Pablo Greco 48fc63 
--- a/src/core/selinux-access.c
Pablo Greco 48fc63 
+++ b/src/core/selinux-access.c
Pablo Greco 48fc63 
@@ -104,7 +104,11 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
Pablo Greco 48fc63 
                 va_end(ap);
Pablo Greco 48fc63
Pablo Greco 48fc63 
                 if (r >= 0) {
Pablo Greco 48fc63 
-                        audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
Pablo Greco 48fc63 
+                        if (type == SELINUX_AVC)
Pablo Greco 48fc63 
+                                audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
Pablo Greco 48fc63 
+                        else if (type == SELINUX_ERROR)
Pablo Greco 48fc63 
+                                audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_SELINUX_ERR, buf, NULL, NULL, NULL, 0);
Pablo Greco 48fc63 
+
Pablo Greco 48fc63 
                         return 0;
Pablo Greco 48fc63 
                 }
Pablo Greco 48fc63 
         }

Powered by Pagure 5.13.3

SSH Hostkey/Fingerprint | Documentation