diff mbox series

[DPKG] selinux: install log callback to filter messages

Message ID 20221011160700.82258-1-cgzones@googlemail.com (mailing list archive)
State Handled Elsewhere
Headers show
Series [DPKG] selinux: install log callback to filter messages | expand

Commit Message

Christian Göttsche Oct. 11, 2022, 4:07 p.m. UTC 
Since libselinux 3.2, via commit 05bdc03130d7 ("libselinux: use kernel
status page by default") [1], selinux_status_updated(3) will issue log
messages on enforcing changes and policy loads.  dpkg is only interested
in whether the policy changed to then reload the SELinux label database.

Ignore non-relevant log messages and forward messages of type error,
warning and avc (which should be treated as error if not audited
according to selinux_set_callback(3)).

Example (the missing newline is a libselinux bug [2]):

    Unpacking valgrind-dbg (1:3.19.0-1) ...                                                                                                │
    uavc:  op=setenforce lsm=selinux enforcing=0 res=1Preparing to unpack .../vnstati_2.9-1_amd64.deb ...

See also https://github.com/rpm-software-management/rpm/pull/2201

[1]: https://github.com/SELinuxProject/selinux/commit/05bdc03130d741e53e1fb45a958d0a2c184be503
[2]: https://lore.kernel.org/selinux/20221011112733.194079-1-plautrba@redhat.com/
---
 src/common/selinux.c | 31 ++++++++++++++++++++++++++++---
 1 file changed, 28 insertions(+), 3 deletions(-)

Comments

Guillem Jover Oct. 11, 2022, 9:41 p.m. UTC | #1 
Hi!

On Tue, 2022-10-11 at 18:07:00 +0200, Christian Göttsche wrote:
> Since libselinux 3.2, via commit 05bdc03130d7 ("libselinux: use kernel
> status page by default") [1], selinux_status_updated(3) will issue log
> messages on enforcing changes and policy loads.  dpkg is only interested
> in whether the policy changed to then reload the SELinux label database.
> 
> Ignore non-relevant log messages and forward messages of type error,
> warning and avc (which should be treated as error if not audited
> according to selinux_set_callback(3)).

Thanks! I've merged (with a couple of tiny style changes) and pushed,
will be part of the upcoming dpkg 1.21.10 release.

Regards,
Guillem
diff mbox series

Patch

diff --git a/src/common/selinux.c b/src/common/selinux.c
index 07f87a3dd..c123fb924 100644
--- a/src/common/selinux.c
+++ b/src/common/selinux.c
@@ -44,6 +44,33 @@ 
 static struct selabel_handle *sehandle;
 #endif
 
+#ifdef WITH_LIBSELINUX
+DPKG_ATTR_PRINTF(2)
+static int log_callback(int type, const char *fmt, ...)
+{
+	char *msg;
+	va_list ap;
+
+	switch (type) {
+	case SELINUX_ERROR:
+	case SELINUX_WARNING:
+	case SELINUX_AVC:
+		break;
+	default:
+		return 0;
+	}
+
+	va_start(ap, fmt);
+	m_vasprintf(&msg, fmt, ap);
+	va_end(ap);
+
+	warning("libselinux:  %s", msg);
+	free(msg);
+
+	return 0;
+}
+#endif
+
 void
 dpkg_selabel_load(void)
 {
@@ -65,9 +92,7 @@  dpkg_selabel_load(void)
 		if (rc < 0)
 			ohshit(_("cannot open security status notification channel"));
 
-		/* XXX: We could use selinux_set_callback() to redirect the
-		 * errors from the other SELinux calls, but that does not seem
-		 * worth it right now. */
+		selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) { .func_log = log_callback });
 	} else if (selinux_enabled && selinux_status_updated()) {
 		/* The SELinux policy got updated in the kernel, usually after
 		 * upgrading the package shipping it, we need to reload. */