From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael C Thompson Subject: Re: [PATCH] newrole auditing of failures due to user actions Date: Thu, 28 Sep 2006 15:38:55 -0500 Message-ID: <451C32DF.5000609@us.ibm.com> References: <451C2473.7050102@us.ibm.com> <1159474257.13831.44.camel@moss-spartans.epoch.ncsc.mil> Mime-Version: 1.0 Content-Type: text/plain; charset=ISO-8859-1; format=flowed Content-Transfer-Encoding: 7bit Return-path: In-Reply-To: <1159474257.13831.44.camel@moss-spartans.epoch.ncsc.mil> List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Sender: redhat-lspp-bounces@redhat.com Errors-To: redhat-lspp-bounces@redhat.com To: Stephen Smalley Cc: lspp-list , Linux Audit , Steve Grubb List-Id: linux-audit@redhat.com Stephen Smalley wrote: > On Thu, 2006-09-28 at 14:37 -0500, Michael C Thompson wrote: >> This patch introduces two new point in the code where audit records are >> generated for newrole. Both points are when the attempt to newrole fails. >> >> The first point is when the default type could not be determine for the >> specified role - this is audited because, as sgrubb pointed out, it is >> currently non-tracked path to probe the policy. >> >> The second point is when the desired context to change to is invalid. >> >> There record format remains unchanged. Failing to validate the desired >> context will result in the old and new contexts being recorded intact to >> the log. For the default type, the old and new contexts have not yet >> been obtained, so they are recorded in the log as XXX_context=? >> >> Signed-off-by: Michael Thompson > > (note: needs to go to selinux list if you want it merged) > > --- policycoreutils-1.30.29/newrole/newrole.c 2006-09-14 07:07:26.000000000 -0500 > +++ policycoreutils-1.30.29.orig.dev/newrole/newrole.c 2006-09-28 14:21:27.000000000 -0500 > @@ -47,7 +47,9 @@ > * > *************************************************************************/ > > +#ifndef _GNU_SOURCE > #define _GNU_SOURCE > +#endif > > I think that the -D_GNU_SOURCE should just be removed from the Makefile. Done. > @@ -394,6 +396,41 @@ > cap_free(new_caps); > } > } > + > +/* Send audit message */ > +int send_audit_message(int success, security_context_t old_context, > + security_context_t new_context, const char *ttyn) > > You need to wrap the entire function with #ifdef LOG_AUDIT_PRIV, > and provide a trivial inline function in the #else clause, e.g. > #else > static inline int send_audit_message(int success, security_context_t old_context, > security_context_t new_context, const char *ttyn) > { > return 0; > } > #endif Done. > @@ -536,6 +573,9 @@ > if (role_s && !type_s) { > if (get_default_type(role_s, &type_s)) { > fprintf(stderr, _("Couldn't get default type.\n")); > +#ifdef LOG_AUDIT_PRIV > + send_audit_message(0, old_context, new_context, ttyn); > +#endif > > You can then drop the #ifdefs here and later, since send_audit_message() will always have a valid > definition. Done. Thanks, Mike