923a60
From cfc1fde83d46d86d06ca2e76986cb4cf2607b188 Mon Sep 17 00:00:00 2001
923a60
From: Michal Sekletar <msekleta@redhat.com>
923a60
Date: Tue, 26 Feb 2019 17:33:27 +0100
923a60
Subject: [PATCH] selinux: don't log SELINUX_INFO and SELINUX_WARNING messages
923a60
 to audit
923a60
923a60
Previously we logged even info message from libselinux as USER_AVC's to
923a60
audit. For example, setting SELinux to permissive mode generated
923a60
following audit message,
923a60
923a60
time->Tue Feb 26 11:29:29 2019
923a60
type=USER_AVC msg=audit(1551198569.423:334): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
923a60
923a60
This is unnecessary and wrong at the same time. First, kernel already
923a60
records audit event that SELinux was switched to permissive mode, also
923a60
the type of the message really shouldn't be USER_AVC.
923a60
923a60
Let's ignore SELINUX_WARNING and SELINUX_INFO and forward to audit only
923a60
USER_AVC's and errors as these two libselinux message types have clear
923a60
mapping to audit message types.
923a60
923a60
(cherry picked from commit 6227fc14c48c4c17daed4b91f61cdd4aa375790a)
923a60
923a60
Resolves: #1240730
923a60
---
923a60
 src/core/selinux-access.c | 6 +++++-
923a60
 1 file changed, 5 insertions(+), 1 deletion(-)
923a60
923a60
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
923a60
index 6cc0a49b92..8edfc86009 100644
923a60
--- a/src/core/selinux-access.c
923a60
+++ b/src/core/selinux-access.c
923a60
@@ -104,7 +104,11 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
923a60
                 va_end(ap);
923a60
 
923a60
                 if (r >= 0) {
923a60
-                        audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
923a60
+                        if (type == SELINUX_AVC)
923a60
+                                audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
923a60
+                        else if (type == SELINUX_ERROR)
923a60
+                                audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_SELINUX_ERR, buf, NULL, NULL, NULL, 0);
923a60
+
923a60
                         return 0;
923a60
                 }
923a60
         }