[PATCH V2] libselinux: Add permissive= entry to avc audit log

[PATCH V2] libselinux: Add permissive= entry to avc audit log

[Richard Haines]

Add audit log entry to specify whether the decision was made in
permissive mode/permissive domain or enforcing mode.

Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
---
V2 changes: Remove utilities and follow the kernel way of detecting
whether permissive or not.

 libselinux/src/avc.c | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
index b1ec57f..96b2678 100644
--- a/libselinux/src/avc.c
+++ b/libselinux/src/avc.c
@@ -723,6 +723,10 @@ void avc_audit(security_id_t ssid, security_id_t tsid,
 
 	log_append(avc_audit_buf, " ");
 	avc_dump_query(ssid, tsid, tclass);
+
+	if (denied)
+		log_append(avc_audit_buf, " permissive=%u", result ? 0 : 1);
+
 	log_append(avc_audit_buf, "\n");
 	avc_log(SELINUX_AVC, "%s", avc_audit_buf);
 
-- 
2.9.3

Re: [PATCH V2] libselinux: Add permissive= entry to avc audit log

[Dominick Grift]

[-- Attachment #1: Type: text/plain, Size: 1313 bytes --]

On Fri, Apr 28, 2017 at 02:05:16PM +0100, Richard Haines wrote:
> Add audit log entry to specify whether the decision was made in
> permissive mode/permissive domain or enforcing mode.
> 
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> ---
> V2 changes: Remove utilities and follow the kernel way of detecting
> whether permissive or not.
> 
>  libselinux/src/avc.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
> index b1ec57f..96b2678 100644
> --- a/libselinux/src/avc.c
> +++ b/libselinux/src/avc.c
> @@ -723,6 +723,10 @@ void avc_audit(security_id_t ssid, security_id_t tsid,
>  
>  	log_append(avc_audit_buf, " ");
>  	avc_dump_query(ssid, tsid, tclass);
> +
> +	if (denied)
> +		log_append(avc_audit_buf, " permissive=%u", result ? 0 : 1);
> +
>  	log_append(avc_audit_buf, "\n");
>  	avc_log(SELINUX_AVC, "%s", avc_audit_buf);
>  
> -- 
> 2.9.3
> 

I hope you will still submit the utils as well. I think/hope that the selinux_check_access util can be used with shell scripts to create a simple user space object manager example

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

[-- Attachment #2: signature.asc --]
[-- Type: application/pgp-signature, Size: 659 bytes --]

Re: [PATCH V2] libselinux: Add permissive= entry to avc audit log

[Richard Haines]

On Fri, 2017-04-28 at 15:10 +0200, Dominick Grift wrote:
> On Fri, Apr 28, 2017 at 02:05:16PM +0100, Richard Haines wrote:
> > Add audit log entry to specify whether the decision was made in
> > permissive mode/permissive domain or enforcing mode.
> > 
> > Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>
> > ---
> > V2 changes: Remove utilities and follow the kernel way of detecting
> > whether permissive or not.
> > 
> >  libselinux/src/avc.c | 4 ++++
> >  1 file changed, 4 insertions(+)
> > 
> > diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
> > index b1ec57f..96b2678 100644
> > --- a/libselinux/src/avc.c
> > +++ b/libselinux/src/avc.c
> > @@ -723,6 +723,10 @@ void avc_audit(security_id_t ssid,
> > security_id_t tsid,
> >  
> >  	log_append(avc_audit_buf, " ");
> >  	avc_dump_query(ssid, tsid, tclass);
> > +
> > +	if (denied)
> > +		log_append(avc_audit_buf, " permissive=%u", result
> > ? 0 : 1);
> > +
> >  	log_append(avc_audit_buf, "\n");
> >  	avc_log(SELINUX_AVC, "%s", avc_audit_buf);
> >  
> > -- 
> > 2.9.3
> > 
> 
> I hope you will still submit the utils as well. I think/hope that the
> selinux_check_access util can be used with shell scripts to create a
> simple user space object manager example

Yes I will at some stage - just thinking of how to reply to Stephen's
email on the subject and checking what ones I've already submitted to
libselinux/utils. I have a number of these little
utils/samples/examples that I use to test various bits of
libsepol/libselinux and submit those I use to test my patches.

Before I submit any I'll take your suggestion into acount. All ideas
welcome.
> 

Re: [PATCH V2] libselinux: Add permissive= entry to avc audit log

[Stephen Smalley]

On Fri, 2017-04-28 at 14:05 +0100, Richard Haines wrote:
> Add audit log entry to specify whether the decision was made in
> permissive mode/permissive domain or enforcing mode.
> 
> Signed-off-by: Richard Haines <richard_c_haines@btinternet.com>

Thanks, applied.

> ---
> V2 changes: Remove utilities and follow the kernel way of detecting
> whether permissive or not.
> 
>  libselinux/src/avc.c | 4 ++++
>  1 file changed, 4 insertions(+)
> 
> diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
> index b1ec57f..96b2678 100644
> --- a/libselinux/src/avc.c
> +++ b/libselinux/src/avc.c
> @@ -723,6 +723,10 @@ void avc_audit(security_id_t ssid, security_id_t
> tsid,
>  
>  	log_append(avc_audit_buf, " ");
>  	avc_dump_query(ssid, tsid, tclass);
> +
> +	if (denied)
> +		log_append(avc_audit_buf, " permissive=%u", result ?
> 0 : 1);
> +
>  	log_append(avc_audit_buf, "\n");
>  	avc_log(SELINUX_AVC, "%s", avc_audit_buf);
>