From mboxrd@z Thu Jan  1 00:00:00 1970
From: Laurent Bigonville <bigon@debian.org>
Subject: Re: Wrong audit message type when policy is reloaded
Date: Thu, 10 Dec 2015 18:53:01 +0100
Message-ID: <5669BBFD.6080505@debian.org>
References: <563CD0E4.4060105@debian.org> <563CD57E.8090004@tycho.nsa.gov>
Mime-Version: 1.0
Content-Type: text/plain; charset="windows-1252"; Format="flowed"
Content-Transfer-Encoding: quoted-printable
Return-path: <linux-audit-bounces@redhat.com>
Received: from mx1.redhat.com (ext-mx03.extmail.prod.ext.phx2.redhat.com
	[10.5.110.27])
	by int-mx09.intmail.prod.int.phx2.redhat.com (8.14.4/8.14.4) with ESMTP
	id tBAHr9kV010274
	(version=TLSv1/SSLv3 cipher=DHE-RSA-AES256-GCM-SHA384 bits=256
	verify=NO)
	for <linux-audit@redhat.com>; Thu, 10 Dec 2015 12:53:09 -0500
Received: from anor.bigon.be (anor.bigon.be [91.121.173.99])
	by mx1.redhat.com (Postfix) with ESMTPS id AD971F5DD3
	for <linux-audit@redhat.com>; Thu, 10 Dec 2015 17:53:07 +0000 (UTC)
In-Reply-To: <563CD57E.8090004@tycho.nsa.gov>
List-Unsubscribe: <https://www.redhat.com/mailman/options/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=unsubscribe>
List-Archive: <https://www.redhat.com/archives/linux-audit>
List-Post: <mailto:linux-audit@redhat.com>
List-Help: <mailto:linux-audit-request@redhat.com?subject=help>
List-Subscribe: <https://www.redhat.com/mailman/listinfo/linux-audit>,
	<mailto:linux-audit-request@redhat.com?subject=subscribe>
Sender: linux-audit-bounces@redhat.com
Errors-To: linux-audit-bounces@redhat.com
To: linux-audit@redhat.com
Cc: selinux@tycho.nsa.gov
List-Id: linux-audit@redhat.com

I guess I should have CCed the linux-audit mailing list from the start.

As said in my initial mail (see bellow) wheb SELinux user object manager =

are reloading the policy, an audit message with a wrong type is logged =

USER_AVC vs USER_MAC_POLICY_LOAD.

Le 06/11/15 17:29, Stephen Smalley a =E9crit :
> On 11/06/2015 11:10 AM, Laurent Bigonville wrote:
>> Hi,
>>
>> When the policy is reloaded, systemd and dbus are sending a USER_AVC
>> audit event instead of a USER_MAC_POLICY_LOAD one.
>>
>> Looking at an other object manager (the xserver) it uses the following
>> code:
>> http://cgit.freedesktop.org/xorg/xserver/tree/Xext/xselinux_hooks.c#n300
>>
>> Can we really link SELINUX_INFO to AUDIT_USER_MAC_POLICY_LOAD? Is there
>> a better way to achieve this?
>>
>> An downstream bug has been opened:
>> https://bugzilla.redhat.com/show_bug.cgi?id=3D1195330
>
> I think when they introduced the audit support, they should have added =

> a new type value in libselinux for MAC_POLICY_LOAD, and then they =

> could have handled this cleanly in their callback functions. That is =

> what I would do.  I guess now we have to figure out how to do so =

> compatibly...
>
>