On Wed, 2004-07-07 at 14:55, Tom London wrote: > Interesting.... > > I was actually trying address a (slightly) different issue: how to > recreate, after the fact, as much of the state as possible > from the log. Can certainly add to the user space code > to detect this change, and then emit a message to the log. > > Prior to your suggestion, I looked at the code for selinuxfs.c. > I think a one line change could also do the trick: > (I modeled this after the log prints on a policy load) > > *************** > *** 135,140 **** > --- 135,143 ---- > length = task_has_security(current, SECURITY__SETENFORCE); > if (length) > goto out; > + printk(KERN_INFO "setenforce: %s->%s\n", > + (selinux_enforcing ? "enforcing" : "permissive"), > + (new_value ? "enforcing" : "permissive")); > selinux_enforcing = new_value; > if (selinux_enforcing) > avc_ss_reset(0); Yes, that works as well, although I'd advise using audit_log(current->audit_context, "setenforce: %s->%s", ...) rather than printk, so that you use the audit framework rather than the normal kernel logging framework. That allows for the messages to be routed to a separate audit daemon and processed differently. -- Stephen Smalley <sds@xxxxxxxxxxxxxx> National Security Agency
