diff mbox

[1/2] semanage: add auditing of changes in records

Message ID 1469464627-2159-1-git-send-email-mvadkert@redhat.com (mailing list archive)
State Not Applicable
Headers show

Commit Message

Miroslav Vadkerti July 25, 2016, 4:37 p.m. UTC
Common Criteria requirement FMT_MSA.1 needs any configuration change
that affect enforcement of policy to be audited. This patch adds
auditing of changes in security context mappings for network ports,
interfaces, nodes and file contexts.

A new function log_change is introduced that audits additions,
modification and removal of the mappings via the USER_MAC_CONFIG_CHANGE
audit event.

The format of the audit events was discussed with the audit userspace
maintainer.

This patch resolves: https://bugzilla.redhat.com/show_bug.cgi?id=829175

Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
---
 policycoreutils/semanage/seobject.py | 75 ++++++++++++++++++++++++++++++++++++
 1 file changed, 75 insertions(+)

Comments

Steve Grubb July 25, 2016, 7:07 p.m. UTC | #1
Hello,

Thanks for adding these audit events. I have just one question below.

On Monday, July 25, 2016 6:37:06 PM EDT Miroslav Vadkerti wrote:
> Common Criteria requirement FMT_MSA.1 needs any configuration change
> that affect enforcement of policy to be audited. This patch adds
> auditing of changes in security context mappings for network ports,
> interfaces, nodes and file contexts.
> 
> A new function log_change is introduced that audits additions,
> modification and removal of the mappings via the USER_MAC_CONFIG_CHANGE
> audit event.
> 
> The format of the audit events was discussed with the audit userspace
> maintainer.
> 
> This patch resolves: https://bugzilla.redhat.com/show_bug.cgi?id=829175
> 
> Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
> ---
>  policycoreutils/semanage/seobject.py | 75
> ++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+)
> 
> diff --git a/policycoreutils/semanage/seobject.py
> b/policycoreutils/semanage/seobject.py index 3b0b108..799ce24 100644
> --- a/policycoreutils/semanage/seobject.py
> +++ b/policycoreutils/semanage/seobject.py
> @@ -82,6 +82,21 @@ file_type_str_to_option = {"all files": "a",
>                             "socket file": "s",
>                             "symbolic link": "l",
>                             "named pipe": "p"}
> +
> +proto_to_audit = {"tcp": 17,
> +                  "udp": 6,
> +                  "ipv4": 4,
> +                  "ipv6": 41}
> +
> +ftype_to_audit = {"": "any",
> +                  "b": "block",
> +                  "c": "char",
> +                  "d": "dir",
> +                  "f": "file",
> +                  "l": "symlink",
> +                  "p": "pipe",
> +                  "s": "socket"}
> +
>  try:
>      import audit
> 
> @@ -90,6 +105,7 @@ try:
>          def __init__(self):
>              self.audit_fd = audit.audit_open()
>              self.log_list = []
> +            self.log_change_list = []
> 
>          def log(self, msg, name="", sename="", serole="", serange="",
> oldsename="", oldserole="", oldserange=""):
> 
> @@ -109,10 +125,17 @@ try:
>          def log_remove(self, msg, name="", sename="", serole="",
> serange="", oldsename="", oldserole="", oldserange=""):
> self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_REMOVE, sys.argv[0],
> str(msg), name, 0, sename, serole, serange, oldsename, oldserole,
> oldserange, "", "", ""])
> 
> +        def log_change(self, msg, hostname="", addr="", tty=""):
> +            self.log_change_list.append([self.audit_fd,
> audit.AUDIT_USER_MAC_CONFIG_CHANGE, str(msg), "semanage", hostname, addr,
> tty]) +
>          def commit(self, success):
>              for l in self.log_list:
>                  audit.audit_log_semanage_message(*(l + [success]))
> +            for l in self.log_change_list:
> +                audit.audit_log_user_comm_message(*(l + [success]))
> +
>              self.log_list = []
> +            self.log_change_list = []
>  except:
>      class logger:
> 
> @@ -138,6 +161,9 @@ except:
>          def log_remove(self, msg, name="", sename="", serole="",
> serange="", oldsename="", oldserole="", oldserange=""): self.log(msg, name,
> sename, serole, serange, oldsename, oldserole, oldserange)
> 
> +        def log_change(self, msg, hostname="", addr="", tty=""):
> +            self.log_list.append(" %s" % msg)
> +

Is it really necessary to do something with hostname, addr, & tty here...

>          def commit(self, success):
>              if success == 1:
>                  message = "Successful: "
> @@ -155,6 +181,9 @@ class nulllogger:
>      def log_remove(self, msg, name="", sename="", serole="", serange="",
> oldsename="", oldserole="", oldserange=""): pass
> 
> +    def log_change(self, msg, hostname="", addr="", tty=""):
> +        pass
> +

and here? I think those are already handled in the audit logging function.

-Steve

>      def commit(self, success):
>          pass
> 
> @@ -1109,6 +1138,8 @@ class portRecords(semanageRecords):
>          semanage_port_key_free(k)
>          semanage_port_free(p)
> 
> +        self.mylog.log_change("resrc=port op=add lport=%s proto=%s
> tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u",
> "object_r", type, serange)) +
>      def add(self, port, proto, serange, type):
>          self.begin()
>          self.__add(port, proto, serange, type)
> @@ -1150,6 +1181,8 @@ class portRecords(semanageRecords):
>          semanage_port_key_free(k)
>          semanage_port_free(p)
> 
> +        self.mylog.log_change("resrc=port op=modify lport=%s proto=%s
> tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u",
> "object_r", setype, serange)) +
>      def modify(self, port, proto, serange, setype):
>          self.begin()
>          self.__modify(port, proto, serange, setype)
> @@ -1168,6 +1201,7 @@ class portRecords(semanageRecords):
>              low = semanage_port_get_low(port)
>              high = semanage_port_get_high(port)
>              port_str = "%s-%s" % (low, high)
> +
>              (k, proto_d, low, high) = self.__genkey(port_str, proto_str)
>              if rc < 0:
>                  raise ValueError(_("Could not create a key for %s") %
> port_str) @@ -1177,6 +1211,11 @@ class portRecords(semanageRecords):
>                  raise ValueError(_("Could not delete the port %s") %
> port_str) semanage_port_key_free(k)
> 
> +            if low == high:
> +                port_str = low
> +
> +            self.mylog.log_change("resrc=port op=delete lport=%s proto=%s"
> % (port_str, proto_to_audit[proto_str])) +
>          self.commit()
> 
>      def __delete(self, port, proto):
> @@ -1199,6 +1238,8 @@ class portRecords(semanageRecords):
> 
>          semanage_port_key_free(k)
> 
> +        self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" %
> (port, proto_to_audit[proto])) +
>      def delete(self, port, proto):
>          self.begin()
>          self.__delete(port, proto)
> @@ -1380,6 +1421,8 @@ class nodeRecords(semanageRecords):
>          semanage_node_key_free(k)
>          semanage_node_free(node)
> 
> +        self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s
> proto=%s tcontext=%s:%s:%s:%s" % (addr, mask,
> proto_to_audit[self.protocol[proto]], "system_u", "object_r", ctype,
> serange)) +
>      def add(self, addr, mask, proto, serange, ctype):
>          self.begin()
>          self.__add(addr, mask, proto, serange, ctype)
> @@ -1421,6 +1464,8 @@ class nodeRecords(semanageRecords):
>          semanage_node_key_free(k)
>          semanage_node_free(node)
> 
> +        self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s
> proto=%s tcontext=%s:%s:%s:%s" % (addr, mask,
> proto_to_audit[self.protocol[proto]], "system_u", "object_r", setype,
> serange)) +
>      def modify(self, addr, mask, proto, serange, setype):
>          self.begin()
>          self.__modify(addr, mask, proto, serange, setype)
> @@ -1452,6 +1497,8 @@ class nodeRecords(semanageRecords):
> 
>          semanage_node_key_free(k)
> 
> +        self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s
> proto=%s" % (addr, mask, proto_to_audit[self.protocol[proto]])) +
>      def delete(self, addr, mask, proto):
>          self.begin()
>          self.__delete(addr, mask, proto)
> @@ -1581,6 +1628,8 @@ class interfaceRecords(semanageRecords):
>          semanage_iface_key_free(k)
>          semanage_iface_free(iface)
> 
> +        self.mylog.log_change("resrc=interface op=add netif=%s
> tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", ctype,
> serange)) +
>      def add(self, interface, serange, ctype):
>          self.begin()
>          self.__add(interface, serange, ctype)
> @@ -1618,6 +1667,8 @@ class interfaceRecords(semanageRecords):
>          semanage_iface_key_free(k)
>          semanage_iface_free(iface)
> 
> +        self.mylog.log_change("resrc=interface op=modify netif=%s
> tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", setype,
> serange)) +
>      def modify(self, interface, serange, setype):
>          self.begin()
>          self.__modify(interface, serange, setype)
> @@ -1646,6 +1697,8 @@ class interfaceRecords(semanageRecords):
> 
>          semanage_iface_key_free(k)
> 
> +        self.mylog.log_change("resrc=interface op=delete netif=%s" %
> interface) +
>      def delete(self, interface):
>          self.begin()
>          self.__delete(interface)
> @@ -1775,6 +1828,8 @@ class fcontextRecords(semanageRecords):
>                  if i.startswith(target + "/"):
>                      raise ValueError(_("File spec %s conflicts with
> equivalency rule '%s %s'") % (target, i, fdict[i]))
> 
> +        self.mylog.log_change("resrc=fcontext op=add-equal %s %s" %
> (audit.audit_encode_nv_string("sglob", target, 0),
> audit.audit_encode_nv_string("tglob", substitute, 0))) +
>          self.equiv[target] = substitute
>          self.equal_ind = True
>          self.commit()
> @@ -1785,6 +1840,9 @@ class fcontextRecords(semanageRecords):
>              raise ValueError(_("Equivalence class for %s does not exists")
> % target) self.equiv[target] = substitute
>          self.equal_ind = True
> +
> +        self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" %
> (audit.audit_encode_nv_string("sglob", target, 0),
> audit.audit_encode_nv_string("tglob", substitute, 0))) +
>          self.commit()
> 
>      def createcon(self, target, seuser="system_u"):
> @@ -1879,6 +1937,11 @@ class fcontextRecords(semanageRecords):
>          semanage_fcontext_key_free(k)
>          semanage_fcontext_free(fcontext)
> 
> +        if not seuser:
> +            seuser = "system_u"
> +
> +        self.mylog.log_change("resrc=fcontext op=add %s ftype=%s
> tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0),
> ftype_to_audit[ftype], seuser, "object_r", type, serange)) +
>      def add(self, target, type, ftype="", serange="", seuser="system_u"):
>          self.begin()
>          self.__add(target, type, ftype, serange, seuser)
> @@ -1939,6 +2002,11 @@ class fcontextRecords(semanageRecords):
>          semanage_fcontext_key_free(k)
>          semanage_fcontext_free(fcontext)
> 
> +        if not seuser:
> +            seuser = "system_u"
> +
> +        self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s
> tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0),
> ftype_to_audit[ftype], seuser, "object_r", type, serange)) +
>      def modify(self, target, setype, ftype, serange, seuser):
>          self.begin()
>          self.__modify(target, setype, ftype, serange, seuser)
> @@ -1964,6 +2032,8 @@ class fcontextRecords(semanageRecords):
>                  raise ValueError(_("Could not delete the file context %s")
> % target) semanage_fcontext_key_free(k)
> 
> +            self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" %
> (audit.audit_encode_nv_string("tglob", target, 0),
> ftype_to_audit[ftype_str])) +
>          self.equiv = {}
>          self.equal_ind = True
>          self.commit()
> @@ -1972,6 +2042,9 @@ class fcontextRecords(semanageRecords):
>          if target in self.equiv.keys():
>              self.equiv.pop(target)
>              self.equal_ind = True
> +
> +            self.mylog.log_change("resrc=fcontext op=delete-equal %s
> ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0),
> ftype_to_audit[ftype])) +
>              return
> 
>          (rc, k) = semanage_fcontext_key_create(self.sh, target,
> file_types[ftype]) @@ -1996,6 +2069,8 @@ class
> fcontextRecords(semanageRecords):
> 
>          semanage_fcontext_key_free(k)
> 
> +        self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" %
> (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
> +
>      def delete(self, target, ftype):
>          self.begin()
>          self.__delete(target, ftype)
Miroslav Vadkerti July 26, 2016, 10:50 a.m. UTC | #2
Hi Steve,

I did not know that I won't need to override those parameters when I
started to prepare the patch. I can just remove those and pass always "" as
hostname, addr and tty. I will submit a new patch in a few minutes ..

Thanks and best regards,
/M

On Mon, Jul 25, 2016 at 9:07 PM, Steve Grubb <sgrubb@redhat.com> wrote:

> Hello,
>
> Thanks for adding these audit events. I have just one question below.
>
> On Monday, July 25, 2016 6:37:06 PM EDT Miroslav Vadkerti wrote:
> > Common Criteria requirement FMT_MSA.1 needs any configuration change
> > that affect enforcement of policy to be audited. This patch adds
> > auditing of changes in security context mappings for network ports,
> > interfaces, nodes and file contexts.
> >
> > A new function log_change is introduced that audits additions,
> > modification and removal of the mappings via the USER_MAC_CONFIG_CHANGE
> > audit event.
> >
> > The format of the audit events was discussed with the audit userspace
> > maintainer.
> >
> > This patch resolves: https://bugzilla.redhat.com/show_bug.cgi?id=829175
> >
> > Signed-off-by: Miroslav Vadkerti <mvadkert@redhat.com>
> > ---
> >  policycoreutils/semanage/seobject.py | 75
> > ++++++++++++++++++++++++++++++++++++ 1 file changed, 75 insertions(+)
> >
> > diff --git a/policycoreutils/semanage/seobject.py
> > b/policycoreutils/semanage/seobject.py index 3b0b108..799ce24 100644
> > --- a/policycoreutils/semanage/seobject.py
> > +++ b/policycoreutils/semanage/seobject.py
> > @@ -82,6 +82,21 @@ file_type_str_to_option = {"all files": "a",
> >                             "socket file": "s",
> >                             "symbolic link": "l",
> >                             "named pipe": "p"}
> > +
> > +proto_to_audit = {"tcp": 17,
> > +                  "udp": 6,
> > +                  "ipv4": 4,
> > +                  "ipv6": 41}
> > +
> > +ftype_to_audit = {"": "any",
> > +                  "b": "block",
> > +                  "c": "char",
> > +                  "d": "dir",
> > +                  "f": "file",
> > +                  "l": "symlink",
> > +                  "p": "pipe",
> > +                  "s": "socket"}
> > +
> >  try:
> >      import audit
> >
> > @@ -90,6 +105,7 @@ try:
> >          def __init__(self):
> >              self.audit_fd = audit.audit_open()
> >              self.log_list = []
> > +            self.log_change_list = []
> >
> >          def log(self, msg, name="", sename="", serole="", serange="",
> > oldsename="", oldserole="", oldserange=""):
> >
> > @@ -109,10 +125,17 @@ try:
> >          def log_remove(self, msg, name="", sename="", serole="",
> > serange="", oldsename="", oldserole="", oldserange=""):
> > self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_REMOVE,
> sys.argv[0],
> > str(msg), name, 0, sename, serole, serange, oldsename, oldserole,
> > oldserange, "", "", ""])
> >
> > +        def log_change(self, msg, hostname="", addr="", tty=""):
> > +            self.log_change_list.append([self.audit_fd,
> > audit.AUDIT_USER_MAC_CONFIG_CHANGE, str(msg), "semanage", hostname, addr,
> > tty]) +
> >          def commit(self, success):
> >              for l in self.log_list:
> >                  audit.audit_log_semanage_message(*(l + [success]))
> > +            for l in self.log_change_list:
> > +                audit.audit_log_user_comm_message(*(l + [success]))
> > +
> >              self.log_list = []
> > +            self.log_change_list = []
> >  except:
> >      class logger:
> >
> > @@ -138,6 +161,9 @@ except:
> >          def log_remove(self, msg, name="", sename="", serole="",
> > serange="", oldsename="", oldserole="", oldserange=""): self.log(msg,
> name,
> > sename, serole, serange, oldsename, oldserole, oldserange)
> >
> > +        def log_change(self, msg, hostname="", addr="", tty=""):
> > +            self.log_list.append(" %s" % msg)
> > +
>
> Is it really necessary to do something with hostname, addr, & tty here...
>
> >          def commit(self, success):
> >              if success == 1:
> >                  message = "Successful: "
> > @@ -155,6 +181,9 @@ class nulllogger:
> >      def log_remove(self, msg, name="", sename="", serole="", serange="",
> > oldsename="", oldserole="", oldserange=""): pass
> >
> > +    def log_change(self, msg, hostname="", addr="", tty=""):
> > +        pass
> > +
>
> and here? I think those are already handled in the audit logging function.
>
> -Steve
>
> >      def commit(self, success):
> >          pass
> >
> > @@ -1109,6 +1138,8 @@ class portRecords(semanageRecords):
> >          semanage_port_key_free(k)
> >          semanage_port_free(p)
> >
> > +        self.mylog.log_change("resrc=port op=add lport=%s proto=%s
> > tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u",
> > "object_r", type, serange)) +
> >      def add(self, port, proto, serange, type):
> >          self.begin()
> >          self.__add(port, proto, serange, type)
> > @@ -1150,6 +1181,8 @@ class portRecords(semanageRecords):
> >          semanage_port_key_free(k)
> >          semanage_port_free(p)
> >
> > +        self.mylog.log_change("resrc=port op=modify lport=%s proto=%s
> > tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u",
> > "object_r", setype, serange)) +
> >      def modify(self, port, proto, serange, setype):
> >          self.begin()
> >          self.__modify(port, proto, serange, setype)
> > @@ -1168,6 +1201,7 @@ class portRecords(semanageRecords):
> >              low = semanage_port_get_low(port)
> >              high = semanage_port_get_high(port)
> >              port_str = "%s-%s" % (low, high)
> > +
> >              (k, proto_d, low, high) = self.__genkey(port_str, proto_str)
> >              if rc < 0:
> >                  raise ValueError(_("Could not create a key for %s") %
> > port_str) @@ -1177,6 +1211,11 @@ class portRecords(semanageRecords):
> >                  raise ValueError(_("Could not delete the port %s") %
> > port_str) semanage_port_key_free(k)
> >
> > +            if low == high:
> > +                port_str = low
> > +
> > +            self.mylog.log_change("resrc=port op=delete lport=%s
> proto=%s"
> > % (port_str, proto_to_audit[proto_str])) +
> >          self.commit()
> >
> >      def __delete(self, port, proto):
> > @@ -1199,6 +1238,8 @@ class portRecords(semanageRecords):
> >
> >          semanage_port_key_free(k)
> >
> > +        self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" %
> > (port, proto_to_audit[proto])) +
> >      def delete(self, port, proto):
> >          self.begin()
> >          self.__delete(port, proto)
> > @@ -1380,6 +1421,8 @@ class nodeRecords(semanageRecords):
> >          semanage_node_key_free(k)
> >          semanage_node_free(node)
> >
> > +        self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s
> > proto=%s tcontext=%s:%s:%s:%s" % (addr, mask,
> > proto_to_audit[self.protocol[proto]], "system_u", "object_r", ctype,
> > serange)) +
> >      def add(self, addr, mask, proto, serange, ctype):
> >          self.begin()
> >          self.__add(addr, mask, proto, serange, ctype)
> > @@ -1421,6 +1464,8 @@ class nodeRecords(semanageRecords):
> >          semanage_node_key_free(k)
> >          semanage_node_free(node)
> >
> > +        self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s
> > proto=%s tcontext=%s:%s:%s:%s" % (addr, mask,
> > proto_to_audit[self.protocol[proto]], "system_u", "object_r", setype,
> > serange)) +
> >      def modify(self, addr, mask, proto, serange, setype):
> >          self.begin()
> >          self.__modify(addr, mask, proto, serange, setype)
> > @@ -1452,6 +1497,8 @@ class nodeRecords(semanageRecords):
> >
> >          semanage_node_key_free(k)
> >
> > +        self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s
> > proto=%s" % (addr, mask, proto_to_audit[self.protocol[proto]])) +
> >      def delete(self, addr, mask, proto):
> >          self.begin()
> >          self.__delete(addr, mask, proto)
> > @@ -1581,6 +1628,8 @@ class interfaceRecords(semanageRecords):
> >          semanage_iface_key_free(k)
> >          semanage_iface_free(iface)
> >
> > +        self.mylog.log_change("resrc=interface op=add netif=%s
> > tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", ctype,
> > serange)) +
> >      def add(self, interface, serange, ctype):
> >          self.begin()
> >          self.__add(interface, serange, ctype)
> > @@ -1618,6 +1667,8 @@ class interfaceRecords(semanageRecords):
> >          semanage_iface_key_free(k)
> >          semanage_iface_free(iface)
> >
> > +        self.mylog.log_change("resrc=interface op=modify netif=%s
> > tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", setype,
> > serange)) +
> >      def modify(self, interface, serange, setype):
> >          self.begin()
> >          self.__modify(interface, serange, setype)
> > @@ -1646,6 +1697,8 @@ class interfaceRecords(semanageRecords):
> >
> >          semanage_iface_key_free(k)
> >
> > +        self.mylog.log_change("resrc=interface op=delete netif=%s" %
> > interface) +
> >      def delete(self, interface):
> >          self.begin()
> >          self.__delete(interface)
> > @@ -1775,6 +1828,8 @@ class fcontextRecords(semanageRecords):
> >                  if i.startswith(target + "/"):
> >                      raise ValueError(_("File spec %s conflicts with
> > equivalency rule '%s %s'") % (target, i, fdict[i]))
> >
> > +        self.mylog.log_change("resrc=fcontext op=add-equal %s %s" %
> > (audit.audit_encode_nv_string("sglob", target, 0),
> > audit.audit_encode_nv_string("tglob", substitute, 0))) +
> >          self.equiv[target] = substitute
> >          self.equal_ind = True
> >          self.commit()
> > @@ -1785,6 +1840,9 @@ class fcontextRecords(semanageRecords):
> >              raise ValueError(_("Equivalence class for %s does not
> exists")
> > % target) self.equiv[target] = substitute
> >          self.equal_ind = True
> > +
> > +        self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" %
> > (audit.audit_encode_nv_string("sglob", target, 0),
> > audit.audit_encode_nv_string("tglob", substitute, 0))) +
> >          self.commit()
> >
> >      def createcon(self, target, seuser="system_u"):
> > @@ -1879,6 +1937,11 @@ class fcontextRecords(semanageRecords):
> >          semanage_fcontext_key_free(k)
> >          semanage_fcontext_free(fcontext)
> >
> > +        if not seuser:
> > +            seuser = "system_u"
> > +
> > +        self.mylog.log_change("resrc=fcontext op=add %s ftype=%s
> > tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target,
> 0),
> > ftype_to_audit[ftype], seuser, "object_r", type, serange)) +
> >      def add(self, target, type, ftype="", serange="",
> seuser="system_u"):
> >          self.begin()
> >          self.__add(target, type, ftype, serange, seuser)
> > @@ -1939,6 +2002,11 @@ class fcontextRecords(semanageRecords):
> >          semanage_fcontext_key_free(k)
> >          semanage_fcontext_free(fcontext)
> >
> > +        if not seuser:
> > +            seuser = "system_u"
> > +
> > +        self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s
> > tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target,
> 0),
> > ftype_to_audit[ftype], seuser, "object_r", type, serange)) +
> >      def modify(self, target, setype, ftype, serange, seuser):
> >          self.begin()
> >          self.__modify(target, setype, ftype, serange, seuser)
> > @@ -1964,6 +2032,8 @@ class fcontextRecords(semanageRecords):
> >                  raise ValueError(_("Could not delete the file context
> %s")
> > % target) semanage_fcontext_key_free(k)
> >
> > +            self.mylog.log_change("resrc=fcontext op=delete %s
> ftype=%s" %
> > (audit.audit_encode_nv_string("tglob", target, 0),
> > ftype_to_audit[ftype_str])) +
> >          self.equiv = {}
> >          self.equal_ind = True
> >          self.commit()
> > @@ -1972,6 +2042,9 @@ class fcontextRecords(semanageRecords):
> >          if target in self.equiv.keys():
> >              self.equiv.pop(target)
> >              self.equal_ind = True
> > +
> > +            self.mylog.log_change("resrc=fcontext op=delete-equal %s
> > ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0),
> > ftype_to_audit[ftype])) +
> >              return
> >
> >          (rc, k) = semanage_fcontext_key_create(self.sh, target,
> > file_types[ftype]) @@ -1996,6 +2069,8 @@ class
> > fcontextRecords(semanageRecords):
> >
> >          semanage_fcontext_key_free(k)
> >
> > +        self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" %
> > (audit.audit_encode_nv_string("tglob", target, 0),
> ftype_to_audit[ftype]))
> > +
> >      def delete(self, target, ftype):
> >          self.begin()
> >          self.__delete(target, ftype)
>
>
>
diff mbox

Patch

diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
index 3b0b108..799ce24 100644
--- a/policycoreutils/semanage/seobject.py
+++ b/policycoreutils/semanage/seobject.py
@@ -82,6 +82,21 @@  file_type_str_to_option = {"all files": "a",
                            "socket file": "s",
                            "symbolic link": "l",
                            "named pipe": "p"}
+
+proto_to_audit = {"tcp": 17,
+                  "udp": 6,
+                  "ipv4": 4,
+                  "ipv6": 41}
+
+ftype_to_audit = {"": "any",
+                  "b": "block",
+                  "c": "char",
+                  "d": "dir",
+                  "f": "file",
+                  "l": "symlink",
+                  "p": "pipe",
+                  "s": "socket"}
+
 try:
     import audit
 
@@ -90,6 +105,7 @@  try:
         def __init__(self):
             self.audit_fd = audit.audit_open()
             self.log_list = []
+            self.log_change_list = []
 
         def log(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
 
@@ -109,10 +125,17 @@  try:
         def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
             self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_REMOVE, sys.argv[0], str(msg), name, 0, sename, serole, serange, oldsename, oldserole, oldserange, "", "", ""])
 
+        def log_change(self, msg, hostname="", addr="", tty=""):
+            self.log_change_list.append([self.audit_fd, audit.AUDIT_USER_MAC_CONFIG_CHANGE, str(msg), "semanage", hostname, addr, tty])
+
         def commit(self, success):
             for l in self.log_list:
                 audit.audit_log_semanage_message(*(l + [success]))
+            for l in self.log_change_list:
+                audit.audit_log_user_comm_message(*(l + [success]))
+
             self.log_list = []
+            self.log_change_list = []
 except:
     class logger:
 
@@ -138,6 +161,9 @@  except:
         def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
             self.log(msg, name, sename, serole, serange, oldsename, oldserole, oldserange)
 
+        def log_change(self, msg, hostname="", addr="", tty=""):
+            self.log_list.append(" %s" % msg)
+
         def commit(self, success):
             if success == 1:
                 message = "Successful: "
@@ -155,6 +181,9 @@  class nulllogger:
     def log_remove(self, msg, name="", sename="", serole="", serange="", oldsename="", oldserole="", oldserange=""):
         pass
 
+    def log_change(self, msg, hostname="", addr="", tty=""):
+        pass
+
     def commit(self, success):
         pass
 
@@ -1109,6 +1138,8 @@  class portRecords(semanageRecords):
         semanage_port_key_free(k)
         semanage_port_free(p)
 
+        self.mylog.log_change("resrc=port op=add lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", type, serange))
+
     def add(self, port, proto, serange, type):
         self.begin()
         self.__add(port, proto, serange, type)
@@ -1150,6 +1181,8 @@  class portRecords(semanageRecords):
         semanage_port_key_free(k)
         semanage_port_free(p)
 
+        self.mylog.log_change("resrc=port op=modify lport=%s proto=%s tcontext=%s:%s:%s:%s" % (port, proto_to_audit[proto], "system_u", "object_r", setype, serange))
+
     def modify(self, port, proto, serange, setype):
         self.begin()
         self.__modify(port, proto, serange, setype)
@@ -1168,6 +1201,7 @@  class portRecords(semanageRecords):
             low = semanage_port_get_low(port)
             high = semanage_port_get_high(port)
             port_str = "%s-%s" % (low, high)
+
             (k, proto_d, low, high) = self.__genkey(port_str, proto_str)
             if rc < 0:
                 raise ValueError(_("Could not create a key for %s") % port_str)
@@ -1177,6 +1211,11 @@  class portRecords(semanageRecords):
                 raise ValueError(_("Could not delete the port %s") % port_str)
             semanage_port_key_free(k)
 
+            if low == high:
+                port_str = low
+
+            self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port_str, proto_to_audit[proto_str]))
+
         self.commit()
 
     def __delete(self, port, proto):
@@ -1199,6 +1238,8 @@  class portRecords(semanageRecords):
 
         semanage_port_key_free(k)
 
+        self.mylog.log_change("resrc=port op=delete lport=%s proto=%s" % (port, proto_to_audit[proto]))
+
     def delete(self, port, proto):
         self.begin()
         self.__delete(port, proto)
@@ -1380,6 +1421,8 @@  class nodeRecords(semanageRecords):
         semanage_node_key_free(k)
         semanage_node_free(node)
 
+        self.mylog.log_change("resrc=node op=add laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", ctype, serange))
+
     def add(self, addr, mask, proto, serange, ctype):
         self.begin()
         self.__add(addr, mask, proto, serange, ctype)
@@ -1421,6 +1464,8 @@  class nodeRecords(semanageRecords):
         semanage_node_key_free(k)
         semanage_node_free(node)
 
+        self.mylog.log_change("resrc=node op=modify laddr=%s netmask=%s proto=%s tcontext=%s:%s:%s:%s" % (addr, mask, proto_to_audit[self.protocol[proto]], "system_u", "object_r", setype, serange))
+
     def modify(self, addr, mask, proto, serange, setype):
         self.begin()
         self.__modify(addr, mask, proto, serange, setype)
@@ -1452,6 +1497,8 @@  class nodeRecords(semanageRecords):
 
         semanage_node_key_free(k)
 
+        self.mylog.log_change("resrc=node op=delete laddr=%s netmask=%s proto=%s" % (addr, mask, proto_to_audit[self.protocol[proto]]))
+
     def delete(self, addr, mask, proto):
         self.begin()
         self.__delete(addr, mask, proto)
@@ -1581,6 +1628,8 @@  class interfaceRecords(semanageRecords):
         semanage_iface_key_free(k)
         semanage_iface_free(iface)
 
+        self.mylog.log_change("resrc=interface op=add netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", ctype, serange))
+
     def add(self, interface, serange, ctype):
         self.begin()
         self.__add(interface, serange, ctype)
@@ -1618,6 +1667,8 @@  class interfaceRecords(semanageRecords):
         semanage_iface_key_free(k)
         semanage_iface_free(iface)
 
+        self.mylog.log_change("resrc=interface op=modify netif=%s tcontext=%s:%s:%s:%s" % (interface, "system_u", "object_r", setype, serange))
+
     def modify(self, interface, serange, setype):
         self.begin()
         self.__modify(interface, serange, setype)
@@ -1646,6 +1697,8 @@  class interfaceRecords(semanageRecords):
 
         semanage_iface_key_free(k)
 
+        self.mylog.log_change("resrc=interface op=delete netif=%s" % interface)
+
     def delete(self, interface):
         self.begin()
         self.__delete(interface)
@@ -1775,6 +1828,8 @@  class fcontextRecords(semanageRecords):
                 if i.startswith(target + "/"):
                     raise ValueError(_("File spec %s conflicts with equivalency rule '%s %s'") % (target, i, fdict[i]))
 
+        self.mylog.log_change("resrc=fcontext op=add-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
+
         self.equiv[target] = substitute
         self.equal_ind = True
         self.commit()
@@ -1785,6 +1840,9 @@  class fcontextRecords(semanageRecords):
             raise ValueError(_("Equivalence class for %s does not exists") % target)
         self.equiv[target] = substitute
         self.equal_ind = True
+
+        self.mylog.log_change("resrc=fcontext op=modify-equal %s %s" % (audit.audit_encode_nv_string("sglob", target, 0), audit.audit_encode_nv_string("tglob", substitute, 0)))
+
         self.commit()
 
     def createcon(self, target, seuser="system_u"):
@@ -1879,6 +1937,11 @@  class fcontextRecords(semanageRecords):
         semanage_fcontext_key_free(k)
         semanage_fcontext_free(fcontext)
 
+        if not seuser:
+            seuser = "system_u"
+
+        self.mylog.log_change("resrc=fcontext op=add %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
+
     def add(self, target, type, ftype="", serange="", seuser="system_u"):
         self.begin()
         self.__add(target, type, ftype, serange, seuser)
@@ -1939,6 +2002,11 @@  class fcontextRecords(semanageRecords):
         semanage_fcontext_key_free(k)
         semanage_fcontext_free(fcontext)
 
+        if not seuser:
+            seuser = "system_u"
+
+        self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
+
     def modify(self, target, setype, ftype, serange, seuser):
         self.begin()
         self.__modify(target, setype, ftype, serange, seuser)
@@ -1964,6 +2032,8 @@  class fcontextRecords(semanageRecords):
                 raise ValueError(_("Could not delete the file context %s") % target)
             semanage_fcontext_key_free(k)
 
+            self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype_str]))
+
         self.equiv = {}
         self.equal_ind = True
         self.commit()
@@ -1972,6 +2042,9 @@  class fcontextRecords(semanageRecords):
         if target in self.equiv.keys():
             self.equiv.pop(target)
             self.equal_ind = True
+
+            self.mylog.log_change("resrc=fcontext op=delete-equal %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
+
             return
 
         (rc, k) = semanage_fcontext_key_create(self.sh, target, file_types[ftype])
@@ -1996,6 +2069,8 @@  class fcontextRecords(semanageRecords):
 
         semanage_fcontext_key_free(k)
 
+        self.mylog.log_change("resrc=fcontext op=delete %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
+
     def delete(self, target, ftype):
         self.begin()
         self.__delete(target, ftype)