[patch] Full relabel audit event

From: James Antill <jantill@redhat.com>
To: redhat-lspp <redhat-lspp@redhat.com>
Cc: linux-audit@redhat.com, selinux@tycho.nsa.gov
Subject: [patch] Full relabel audit event
Date: Thu, 25 May 2006 17:01:41 -0400	[thread overview]
Message-ID: <1148590901.8828.22.camel@code.and.org> (raw)


[-- Attachment #1.1.1: Type: text/plain, Size: 445 bytes --]


 The attached patch implements the full relabel audit event (Ie. an
audit event occurs when a full relabel occurs, ie. when /.autorelabel
exists at boot).
 Note that although the code is correct, this patch doesn't actually
work due to kernel bugs[1].

 It'll be in Fedora development as part of policycoreutils-1.30.10-3
onwards.

[1] see the thread on linux-audit if you want the details.

-- 
James Antill <jantill@redhat.com>

[-- Attachment #1.1.2: policycoreutils-1.30.10-audit-mass-relabel.patch --]
[-- Type: text/x-patch, Size: 2689 bytes --]

diff -ru policycoreutils-1.30.10-orig/setfiles/setfiles.c policycoreutils-1.30.10/setfiles/setfiles.c

--- policycoreutils-1.30.10-orig/setfiles/setfiles.c	2006-05-23 06:20:03.000000000 -0400
+++ policycoreutils-1.30.10/setfiles/setfiles.c	2006-05-24 16:49:03.000000000 -0400
@@ -75,6 +75,11 @@
 #include <selinux/selinux.h>
 #include <syslog.h> 
 #include <libgen.h>
+#include <libaudit.h>
+
+#ifndef AUDIT_FS_RELABEL
+#define AUDIT_FS_RELABEL 2309
+#endif
 
 static int add_assoc = 1;
 static FILE *outfile=NULL;
@@ -395,7 +400,7 @@
 
 	/* trim trailing /, if present */
 	len = strlen(rootpath);
-	while ('/' == rootpath[len - 1])
+	while (len && ('/' == rootpath[len - 1]))
 		rootpath[--len] = 0;
 	rootpathlen = len;
 }
@@ -443,11 +448,35 @@
   return 0;
 }
 
+static void maybe_audit_mass_relabel(int done_root, int errs)
+{
+  int audit_fd = -1;
+  int rc = 0;
+  
+  if (!done_root) /* only audit a forced full relabel */
+    return;
+  
+  audit_fd = audit_open();
+
+  if (audit_fd < 0) {
+    fprintf(stderr, "Error connecting to audit system.\n");
+    return;
+  }
+
+  rc = audit_log_user_message(audit_fd, AUDIT_FS_RELABEL,
+                              "op=mass relabel", NULL, NULL, NULL, !errs);
+  if (rc <= 0) {
+    fprintf(stderr, "Error sending audit message: %s.\n", strerror(errno));
+  }
+  audit_close(audit_fd);
+}
+
 int main(int argc, char **argv)
 {
 	struct stat sb;
 	int opt, rc, i;
-
+        int done_root = 0; /* have we processed the / directory as an arg */
+        
 	memset(excludeArray,0, sizeof(excludeArray));
 
 	/* Validate all file contexts during matchpathcon_init. */
@@ -618,6 +647,8 @@
 	}
 	else for (; optind < argc; optind++)
 	{
+                done_root |= !strcmp(argv[optind], "/");
+                
 		if (NULL != rootpath) {
 			qprintf("%s:  labeling files, pretending %s is /\n",
 				argv[0], rootpath);
@@ -648,6 +679,7 @@
 				fprintf(stderr,
 				"%s:  error while labeling files under %s\n",
 				argv[0], argv[optind]);
+				maybe_audit_mass_relabel(done_root, 1);
 				exit(1);
 			}
 		}
@@ -664,6 +696,8 @@
 		matchpathcon_filespec_destroy();
 	}
 
+        maybe_audit_mass_relabel(done_root, 0);
+
 	if (warn_no_match)
 		matchpathcon_checkmatches(argv[0]);
 
--- policycoreutils-1.30.10-orig/setfiles/Makefile	2006-05-23 06:20:03.000000000 -0400
+++ policycoreutils-1.30.10/setfiles/Makefile	2006-05-24 18:10:41.000000000 -0400
@@ -7,6 +7,7 @@
 CFLAGS = -Werror -Wall -W 
 override CFLAGS += -D_FILE_OFFSET_BITS=64 -I$(PREFIX)/include
 LDLIBS = -lselinux -lsepol -L$(LIBDIR)
+LDLIBS += -laudit
 
 all: setfiles
 

[-- Attachment #1.2: This is a digitally signed message part --]
[-- Type: application/pgp-signature, Size: 191 bytes --]

[-- Attachment #2: Type: text/plain, Size: 103 bytes --]

--
redhat-lspp mailing list
redhat-lspp@redhat.com
https://www.redhat.com/mailman/listinfo/redhat-lspp
