From mboxrd@z Thu Jan 1 00:00:00 1970 From: Marcelo Cerri Subject: [PATCH] auvirt: Add security context to "relabel{to, from}" AVC records Date: Fri, 10 Feb 2012 11:58:07 -0200 Message-ID: <1328882287-30850-1-git-send-email-mhcerri@linux.vnet.ibm.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit Return-path: Received: from mx1.redhat.com (ext-mx13.extmail.prod.ext.phx2.redhat.com [10.5.110.18]) by int-mx02.intmail.prod.int.phx2.redhat.com (8.13.8/8.13.8) with ESMTP id q1ADwUbJ013132 for ; Fri, 10 Feb 2012 08:58:30 -0500 Received: from e24smtp02.br.ibm.com (e24smtp02.br.ibm.com [32.104.18.86]) by mx1.redhat.com (8.14.4/8.14.4) with ESMTP id q1ADwSpY013672 for ; Fri, 10 Feb 2012 08:58:28 -0500 Received: from /spool/local by e24smtp02.br.ibm.com with IBM ESMTP SMTP Gateway: Authorized Use Only! Violators will be prosecuted for from ; Fri, 10 Feb 2012 11:58:27 -0200 Received: from d24av04.br.ibm.com (d24av04.br.ibm.com [9.8.31.97]) by d24relay03.br.ibm.com (8.13.8/8.13.8/NCO v10.0) with ESMTP id q1ADw9oe24051838 for ; Fri, 10 Feb 2012 11:58:09 -0200 Received: from d24av04.br.ibm.com (loopback [127.0.0.1]) by d24av04.br.ibm.com (8.14.4/8.13.1/NCO v10.0 AVout) with ESMTP id q1ABvuLn019028 for ; Fri, 10 Feb 2012 09:57:56 -0200 List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: linux-audit-bounces@redhat.com Errors-To: linux-audit-bounces@redhat.com To: linux-audit@redhat.com Cc: gcwilson@us.ibm.com, bryntcor@us.ibm.com List-Id: linux-audit@redhat.com With this patch, auvirt prints one more field for AVC records when using the "--all-events" option. The target context is added to "relabelto" AVC records and the source context to "relabelfrom" AVC records. --- tools/auvirt/auvirt.c | 17 ++++++++++++++++- 1 files changed, 16 insertions(+), 1 deletions(-) diff --git a/tools/auvirt/auvirt.c b/tools/auvirt/auvirt.c index e5c5ef6..9b71a3c 100644 --- a/tools/auvirt/auvirt.c +++ b/tools/auvirt/auvirt.c @@ -91,6 +91,7 @@ struct event { char *comm; char *seresult; char *seperms; + char *context; /* Fields to print proof information: */ struct record_id proof[4]; }; @@ -130,6 +131,7 @@ void event_free(struct event *event) free(event->cgroup_class); free(event->cgroup_detail); free(event->cgroup_acl); + free(event->context); free(event); } } @@ -872,6 +874,18 @@ int process_avc(auparse_state_t *au) avc->comm = copy_str(auparse_interpret_field(au)); if (auparse_find_field(au, "name")) avc->target = copy_str(auparse_interpret_field(au)); + + /* get the context related to the permission that was denied. */ + if (avc->seperms) { + const char *ctx = NULL; + if (strcmp("relabelfrom", avc->seperms) == 0) { + ctx = auparse_find_field(au, "scontext"); + } else if (strcmp("relabelto", avc->seperms) == 0) { + ctx = auparse_find_field(au, "tcontext"); + } + avc->context = copy_str(ctx); + } + add_proof(avc, au); if (list_append(events, avc) == NULL) { event_free(avc); @@ -1140,7 +1154,8 @@ void print_event(struct event *event) } else if (event->type == ET_AVC) { printf("\t%-12.12s", N(event->seperms)); printf("\t%-10.10s", N(event->seresult)); - printf("\t%s\t%s", N(event->comm), N(event->target)); + printf("\t%s\t%s\t%s", N(event->comm), N(event->target), + N(event->context)); } printf("\n"); -- 1.7.1