Re: policycoreutils: audit2allow -l doesn't work with dmesg pipe

[Joshua Brindle <method@xxxxxxxxxxxxxxx>]

Stephen Smalley wrote:
> On Mon, 2009-08-24 at 23:37 +1000, Russell Coker wrote:
> > On Mon, 24 Aug 2009, Daniel J Walsh<dwalsh@xxxxxxxxxx>  wrote:
> > > > > > http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=503252
> > > > > audit2allow -l is looking for the load_policy message which does not go
> > > > > to the dmesg, /var/log/messages.  Therefore the tool has no idea when
> > > > > policy was last loaded.
> > > > That would be a kernel bug then.
> > > Well I believe the messages that are intercepted by the audit.log do not go
> > > into dmesg, by design. Although Steve, James or Eric could probably say for
> > > sure.
> > When auditd is not running on a Debian system with CentOS kernel
> > 2.6.18-92.1.13.el5xen or Debian/Lenny kernel 2.6.26-2-xen-686 then nothing
> > goes to the kernel message log which is interpreted by audit2allow as a
> > candidate for the "-l" functionality.
> >
> > It's OK if all the AVC messages go to the audit log and "dmesg|audit2allow -l"
> > gives no output.  But if all AVC messages other than the load_policy message
> > go to the kernel message log then it's a bug.
>
> Originally audit2allow used the avc: allowed message generated by
> auditallow statement for load_policy to identify policy reloads.  Later
> it was switched to use the MAC_POLICY_LOAD events generated by the audit
> framework.  Those events should still get logged via printk if auditd is
> not running, but it appears that the code (audit_printk_skb) will then
> log the type= field as an integer rather than a string, and
> audit2allow/sepolgen only looks for the string MAC_POLICY_LOAD.
>
> So I suspect that this would be resolved by modifying sepolgen/audit.py
> to also match on type=1403 for load messages.  Try this:
>
> diff --git a/sepolgen/src/sepolgen/audit.py b/sepolgen/src/sepolgen/audit.py
> index 4717dae..efcc40d 100644
> --- a/sepolgen/src/sepolgen/audit.py
> +++ b/sepolgen/src/sepolgen/audit.py
> @@ -314,7 +314,7 @@ class AuditParser:
>               elif i == "security_compute_sid:":
>                   msg = ComputeSidMessage(line)
>                   found = True
> -            elif i == "type=MAC_POLICY_LOAD":
> +            elif i == "type=MAC_POLICY_LOAD" or i == "type=1403":
>                   msg = PolicyLoadMessage(line)
>                   found = True
>               elif i == "type=AVC_PATH":

Merged in sepolgen 1.0.19

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.