| Message ID | 20230814132025.45364-6-cgzones@googlemail.com (mailing list archive) |
|---|---|
| State | Accepted |
| Commit | df7d19ce6083 |
| Delegated to: | Petr Lautrbach |
| Headers | show |
| Series | libselinux: rework selabel_file(5) database | expand |
On Mon, Aug 14, 2023 at 9:41 AM Christian Göttsche <cgzones@googlemail.com> wrote: > > Do not issue an audit event of type AUDIT_FS_RELABEL in case of a > passive check. > > Print the reason for an audit_open(3) failure. > > Do not prematurely exit in case audit_open(3) fails, since all important > work is already done, but proceed with cleanup tasks. > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Acked-by: James Carter <jwcart2@gmail.com> > --- > policycoreutils/setfiles/setfiles.c | 16 +++++++--------- > 1 file changed, 7 insertions(+), 9 deletions(-) > > diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c > index 4dd0d0dc..88a27241 100644 > --- a/policycoreutils/setfiles/setfiles.c > +++ b/policycoreutils/setfiles/setfiles.c > @@ -86,23 +86,20 @@ static int canoncon(char **contextp) > } > > #ifndef USE_AUDIT > -static void maybe_audit_mass_relabel(int mass_relabel __attribute__((unused)), > - int mass_relabel_errs __attribute__((unused))) > +static void audit_mass_relabel(int mass_relabel_errs __attribute__((unused))) > { > #else > -static void maybe_audit_mass_relabel(int mass_relabel, int mass_relabel_errs) > +static void audit_mass_relabel(int mass_relabel_errs) > { > int audit_fd = -1; > int rc = 0; > > - if (!mass_relabel) /* only audit a forced full relabel */ > - return; > - > audit_fd = audit_open(); > > if (audit_fd < 0) { > - fprintf(stderr, "Error connecting to audit system.\n"); > - exit(-1); > + fprintf(stderr, "Error connecting to audit system: %s.\n", > + strerror(errno)); > + return; > } > > rc = audit_log_user_message(audit_fd, AUDIT_FS_RELABEL, > @@ -463,7 +460,8 @@ int main(int argc, char **argv) > &skipped_errors) < 0; > } > > - maybe_audit_mass_relabel(r_opts.mass_relabel, errors); > + if (r_opts.mass_relabel && !r_opts.nochange) > + audit_mass_relabel(errors); > > if (warn_no_match) > selabel_stats(r_opts.hnd); > -- > 2.40.1 >
On Mon, Oct 2, 2023 at 1:15 PM James Carter <jwcart2@gmail.com> wrote: > > On Mon, Aug 14, 2023 at 9:41 AM Christian Göttsche > <cgzones@googlemail.com> wrote: > > > > Do not issue an audit event of type AUDIT_FS_RELABEL in case of a > > passive check. > > > > Print the reason for an audit_open(3) failure. > > > > Do not prematurely exit in case audit_open(3) fails, since all important > > work is already done, but proceed with cleanup tasks. > > > > Signed-off-by: Christian Göttsche <cgzones@googlemail.com> > > Acked-by: James Carter <jwcart2@gmail.com> > Merged. Thanks, Jim > > --- > > policycoreutils/setfiles/setfiles.c | 16 +++++++--------- > > 1 file changed, 7 insertions(+), 9 deletions(-) > > > > diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c > > index 4dd0d0dc..88a27241 100644 > > --- a/policycoreutils/setfiles/setfiles.c > > +++ b/policycoreutils/setfiles/setfiles.c > > @@ -86,23 +86,20 @@ static int canoncon(char **contextp) > > } > > > > #ifndef USE_AUDIT > > -static void maybe_audit_mass_relabel(int mass_relabel __attribute__((unused)), > > - int mass_relabel_errs __attribute__((unused))) > > +static void audit_mass_relabel(int mass_relabel_errs __attribute__((unused))) > > { > > #else > > -static void maybe_audit_mass_relabel(int mass_relabel, int mass_relabel_errs) > > +static void audit_mass_relabel(int mass_relabel_errs) > > { > > int audit_fd = -1; > > int rc = 0; > > > > - if (!mass_relabel) /* only audit a forced full relabel */ > > - return; > > - > > audit_fd = audit_open(); > > > > if (audit_fd < 0) { > > - fprintf(stderr, "Error connecting to audit system.\n"); > > - exit(-1); > > + fprintf(stderr, "Error connecting to audit system: %s.\n", > > + strerror(errno)); > > + return; > > } > > > > rc = audit_log_user_message(audit_fd, AUDIT_FS_RELABEL, > > @@ -463,7 +460,8 @@ int main(int argc, char **argv) > > &skipped_errors) < 0; > > } > > > > - maybe_audit_mass_relabel(r_opts.mass_relabel, errors); > > + if (r_opts.mass_relabel && !r_opts.nochange) > > + audit_mass_relabel(errors); > > > > if (warn_no_match) > > selabel_stats(r_opts.hnd); > > -- > > 2.40.1 > >
diff --git a/policycoreutils/setfiles/setfiles.c b/policycoreutils/setfiles/setfiles.c index 4dd0d0dc..88a27241 100644 --- a/policycoreutils/setfiles/setfiles.c +++ b/policycoreutils/setfiles/setfiles.c @@ -86,23 +86,20 @@ static int canoncon(char **contextp) } #ifndef USE_AUDIT -static void maybe_audit_mass_relabel(int mass_relabel __attribute__((unused)), - int mass_relabel_errs __attribute__((unused))) +static void audit_mass_relabel(int mass_relabel_errs __attribute__((unused))) { #else -static void maybe_audit_mass_relabel(int mass_relabel, int mass_relabel_errs) +static void audit_mass_relabel(int mass_relabel_errs) { int audit_fd = -1; int rc = 0; - if (!mass_relabel) /* only audit a forced full relabel */ - return; - audit_fd = audit_open(); if (audit_fd < 0) { - fprintf(stderr, "Error connecting to audit system.\n"); - exit(-1); + fprintf(stderr, "Error connecting to audit system: %s.\n", + strerror(errno)); + return; } rc = audit_log_user_message(audit_fd, AUDIT_FS_RELABEL, @@ -463,7 +460,8 @@ int main(int argc, char **argv) &skipped_errors) < 0; } - maybe_audit_mass_relabel(r_opts.mass_relabel, errors); + if (r_opts.mass_relabel && !r_opts.nochange) + audit_mass_relabel(errors); if (warn_no_match) selabel_stats(r_opts.hnd);
Do not issue an audit event of type AUDIT_FS_RELABEL in case of a passive check. Print the reason for an audit_open(3) failure. Do not prematurely exit in case audit_open(3) fails, since all important work is already done, but proceed with cleanup tasks. Signed-off-by: Christian Göttsche <cgzones@googlemail.com> --- policycoreutils/setfiles/setfiles.c | 16 +++++++--------- 1 file changed, 7 insertions(+), 9 deletions(-)