sepgsql_permissive_logging_v2.diff
application/octet-stream
Filename: sepgsql_permissive_logging_v2.diff
Type: application/octet-stream
Part: 0
Message:
Re: sepgsql logging
Patch
Format: unified
Series: patch v2
| File | + | − |
|---|---|---|
| contrib/sepgsql/selinux.c | 12 | 3 |
| contrib/sepgsql/sepgsql.h | 1 | 0 |
| contrib/sepgsql/uavc.c | 1 | 0 |
diff --git a/contrib/sepgsql/selinux.c b/contrib/sepgsql/selinux.c
index 6056e225d1..d703dc6ba7 100644
--- a/contrib/sepgsql/selinux.c
+++ b/contrib/sepgsql/selinux.c
@@ -676,6 +676,7 @@ sepgsql_getenforce(void)
*/
void
sepgsql_audit_log(bool denied,
+ bool enforcing,
const char *scontext,
const char *tcontext,
uint16 tclass,
@@ -713,6 +714,11 @@ sepgsql_audit_log(bool denied,
if (audit_name)
appendStringInfo(&buf, " name=\"%s\"", audit_name);
+ if (enforcing)
+ appendStringInfo(&buf, " permissive=0");
+ else
+ appendStringInfo(&buf, " permissive=1");
+
ereport(LOG, (errmsg("SELinux: %s", buf.data)));
}
@@ -907,6 +913,7 @@ sepgsql_check_perms(const char *scontext,
uint32 denied;
uint32 audited;
bool result = true;
+ bool enforcing;
sepgsql_compute_avd(scontext, tcontext, tclass, &avd);
@@ -918,9 +925,10 @@ sepgsql_check_perms(const char *scontext,
audited = (denied ? (denied & avd.auditdeny)
: (required & avd.auditallow));
- if (denied &&
- sepgsql_getenforce() > 0 &&
- (avd.flags & SELINUX_AVD_FLAGS_PERMISSIVE) == 0)
+ enforcing = sepgsql_getenforce() > 0 &&
+ (avd.flags & SELINUX_AVD_FLAGS_PERMISSIVE) == 0;
+
+ if (denied && enforcing)
result = false;
/*
@@ -930,6 +938,7 @@ sepgsql_check_perms(const char *scontext,
if (audited && sepgsql_mode != SEPGSQL_MODE_INTERNAL)
{
sepgsql_audit_log(denied,
+ enforcing,
scontext,
tcontext,
tclass,
diff --git a/contrib/sepgsql/sepgsql.h b/contrib/sepgsql/sepgsql.h
index 12241206a8..70f6203496 100644
--- a/contrib/sepgsql/sepgsql.h
+++ b/contrib/sepgsql/sepgsql.h
@@ -227,6 +227,7 @@ extern int sepgsql_set_mode(int new_mode);
extern bool sepgsql_getenforce(void);
extern void sepgsql_audit_log(bool denied,
+ bool enforcing,
const char *scontext,
const char *tcontext,
uint16 tclass,
diff --git a/contrib/sepgsql/uavc.c b/contrib/sepgsql/uavc.c
index 747963ffb3..76597983f4 100644
--- a/contrib/sepgsql/uavc.c
+++ b/contrib/sepgsql/uavc.c
@@ -399,6 +399,7 @@ sepgsql_avc_check_perms_label(const char *tcontext,
sepgsql_get_mode() != SEPGSQL_MODE_INTERNAL)
{
sepgsql_audit_log(denied != 0,
+ (sepgsql_getenforce() && !cache->permissive),
cache->scontext,
cache->tcontext_is_valid ?
cache->tcontext : sepgsql_avc_unlabeled(),