[PATCH] Audit: do not print error when SELinux disabled

* [PATCH] Audit: do not print error when SELinux disabled
@ 2012-10-23 12:58 Eric Paris
  2012-10-23 15:46 ` Paul Moore
                   ` (2 more replies)
  0 siblings, 3 replies; 4+ messages in thread
From: Eric Paris @ 2012-10-23 12:58 UTC (permalink / raw)
  To: linux-audit


RHBZ: 785936
About to be posted upstream

If the audit system collects a record about one process sending a signal
to another process it includes in that collection the 'secid' or 'an int
used to represet an SELinux label.'  If SELinux is disabled it will
collect a 0.  The problem is that when we attempt to print that record
we ask the LSM to convert the secid back to a string.  Since there is no
LSM it returns EOPNOTSUPP.

Most code in the audit system checks if the secid is 0 and does not
print LSM info in that case.  The signal information code however forgot
that check.  Thus users will see a message in syslog indicating that
converting the sid to string failed.  Add the right check.

Signed-off-by: Eric Paris <eparis@redhat.com>

---

diff --git a/kernel/auditsc.c b/kernel/auditsc.c
index 857f2e2..1f5cc03 100644
--- a/kernel/auditsc.c
+++ b/kernel/auditsc.c
@@ -1195,12 +1195,14 @@ static int audit_log_pid_context(struct audit_context *context, pid_t pid,
 
 	audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid,
 			 uid, sessionid);
-	if (security_secid_to_secctx(sid, &ctx, &len)) {
-		audit_log_format(ab, " obj=(none)");
-		rc = 1;
-	} else {
-		audit_log_format(ab, " obj=%s", ctx);
-		security_release_secctx(ctx, len);
+	if (sid) {
+		if (security_secid_to_secctx(sid, &ctx, &len)) {
+			audit_log_format(ab, " obj=(none)");
+			rc = 1;
+		} else {
+			audit_log_format(ab, " obj=%s", ctx);
+			security_release_secctx(ctx, len);
+		}
 	}
 	audit_log_format(ab, " ocomm=");
 	audit_log_untrustedstring(ab, comm);

^ permalink raw reply related	[flat|nested] 4+ messages in thread