| Message ID | 20200915173332.574700-1-chpebeni@linux.microsoft.com (mailing list archive) |
|---|---|
| State | Accepted |
| Headers | show |
| Series | [1/2] libselinux: Add additional log callback details in man page for auditing. | expand |
On Tue, Sep 15, 2020 at 1:36 PM Chris PeBenito <chpebeni@linux.microsoft.com> wrote: > > Add additional information about the log callback message types. Indicate > which types could be audited and the relevant audit record types for them. > > Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>
diff --git a/libselinux/man/man3/selinux_set_callback.3 b/libselinux/man/man3/selinux_set_callback.3 index 6dfe5ff6..75f49b06 100644 --- a/libselinux/man/man3/selinux_set_callback.3 +++ b/libselinux/man/man3/selinux_set_callback.3 @@ -51,6 +51,15 @@ argument indicates the type of message and will be set to one of the following: .B SELINUX_SETENFORCE +SELINUX_ERROR, SELINUX_WARNING, and SELINUX_INFO indicate standard log severity +levels and are not auditable messages. + +The SELINUX_AVC, SELINUX_POLICYLOAD, and SELINUX_SETENFORCE message types can be +audited with AUDIT_USER_AVC, AUDIT_USER_MAC_POLICY_LOAD, and AUDIT_USER_MAC_STATUS +values from libaudit, respectively. If they are not audited, SELINUX_AVC should be +considered equivalent to SELINUX_ERROR; similarly, SELINUX_POLICYLOAD and +SELINUX_SETENFORCE should be considered equivalent to SELINUX_INFO. + . .TP .B SELINUX_CB_AUDIT
Add additional information about the log callback message types. Indicate which types could be audited and the relevant audit record types for them. Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com> --- libselinux/man/man3/selinux_set_callback.3 | 9 +++++++++ 1 file changed, 9 insertions(+)