| Message ID | 20200827125839.79006-1-chpebeni@linux.microsoft.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/1] libselinux: Add new log callback levels for enforcing and policy load notices. | expand |
On Thu, Aug 27, 2020 at 8:59 AM Chris PeBenito <chpebeni@linux.microsoft.com> wrote: > > This will enable userspace object managers to send proper audits for policy > loads and setenforce messages generated by the userspace AVC code. > > Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> > --- > diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h > index c22834e5..ae98a92e 100644 > --- a/libselinux/include/selinux/selinux.h > +++ b/libselinux/include/selinux/selinux.h > @@ -182,6 +182,8 @@ extern void selinux_set_callback(int type, union selinux_callback cb); > #define SELINUX_WARNING 1 > #define SELINUX_INFO 2 > #define SELINUX_AVC 3 > +#define SELINUX_POLICYLOAD 4 > +#define SELINUX_SETENFORCE 5 > #define SELINUX_TRANS_DIR "/var/run/setrans" Not changed by your patch but that SELINUX_TRANS_DIR definition is very odd, certainly shouldn't be next to these other definitions. Will have to look into what uses that outside of libselinux. At some point we should likely also fix up the indentation/alignment of the values above but that can be separate.
On Thu, Aug 27, 2020 at 12:37 PM Stephen Smalley <stephen.smalley.work@gmail.com> wrote: > > On Thu, Aug 27, 2020 at 8:59 AM Chris PeBenito > <chpebeni@linux.microsoft.com> wrote: > > > > This will enable userspace object managers to send proper audits for policy > > loads and setenforce messages generated by the userspace AVC code. > > > > Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> > > Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com> Applied.
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h index c22834e5..ae98a92e 100644 --- a/libselinux/include/selinux/selinux.h +++ b/libselinux/include/selinux/selinux.h @@ -182,6 +182,8 @@ extern void selinux_set_callback(int type, union selinux_callback cb); #define SELINUX_WARNING 1 #define SELINUX_INFO 2 #define SELINUX_AVC 3 +#define SELINUX_POLICYLOAD 4 +#define SELINUX_SETENFORCE 5 #define SELINUX_TRANS_DIR "/var/run/setrans" /* Compute an access decision. */ diff --git a/libselinux/man/man3/selinux_set_callback.3 b/libselinux/man/man3/selinux_set_callback.3 index a4c613ad..6dfe5ff6 100644 --- a/libselinux/man/man3/selinux_set_callback.3 +++ b/libselinux/man/man3/selinux_set_callback.3 @@ -46,6 +46,11 @@ argument indicates the type of message and will be set to one of the following: .B SELINUX_INFO .B SELINUX_AVC + +.B SELINUX_POLICYLOAD + +.B SELINUX_SETENFORCE + . .TP .B SELINUX_CB_AUDIT diff --git a/libselinux/src/avc_internal.c b/libselinux/src/avc_internal.c index 4ef92452..572b2159 100644 --- a/libselinux/src/avc_internal.c +++ b/libselinux/src/avc_internal.c @@ -58,7 +58,7 @@ int avc_process_setenforce(int enforcing) { int rc = 0; - avc_log(SELINUX_INFO, + avc_log(SELINUX_SETENFORCE, "%s: received setenforce notice (enforcing=%d)\n", avc_prefix, enforcing); if (avc_setenforce) @@ -80,7 +80,7 @@ int avc_process_policyload(uint32_t seqno) { int rc = 0; - avc_log(SELINUX_INFO, + avc_log(SELINUX_POLICYLOAD, "%s: received policyload notice (seqno=%u)\n", avc_prefix, seqno); rc = avc_ss_reset(seqno);
This will enable userspace object managers to send proper audits for policy loads and setenforce messages generated by the userspace AVC code. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> --- libselinux/include/selinux/selinux.h | 2 ++ libselinux/man/man3/selinux_set_callback.3 | 5 +++++ libselinux/src/avc_internal.c | 4 ++-- 3 files changed, 9 insertions(+), 2 deletions(-)