-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
This patch looks good to me. acked.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAk9x2owACgkQrlYvE4MpobP3RwCfd+6/ebAP7I8/mH6FNZbAXL9d
piwAnjoAAI0wfkLxHr5kqYpV4+BQqvMK
=MNvT
-----END PGP SIGNATURE-----
>From 4823fb0bb2cf5f6eff652cedbd74595e078fc9d2 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@xxxxxxxxxx>
Date: Fri, 27 Jan 2012 13:19:55 -0500
Subject: [PATCH 33/73] policycoreutils: semanage: audit message to show what
record(s) and item(s) have chaged
Also if the user specifies a store that is not the current store, we should not be sending audit messages.
Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
---
policycoreutils/semanage/seobject.py | 73 +++++++++++++++++++---------------
1 file changed, 40 insertions(+), 33 deletions(-)
diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
index a94dffa..12cd0fe 100644
--- a/policycoreutils/semanage/seobject.py
+++ b/policycoreutils/semanage/seobject.py
@@ -1,4 +1,4 @@
-#! /usr/bin/python -E
+#! /usr/bin/python -Es
# Copyright (C) 2005-2011 Red Hat
# see file 'COPYING' for use and warranty information
#
@@ -62,6 +62,15 @@ try:
self.audit_fd = audit.audit_open()
self.log_list = []
def log(self, msg, name = "", sename = "", serole = "", serange = "", oldsename = "", oldserole = "", oldserange = ""):
+
+ sep = "-"
+ if sename != oldsename:
+ msg += sep + "sename"; sep = ","
+ if serole != oldserole:
+ msg += sep + "role"; sep = ","
+ if serange != oldserange:
+ msg += sep + "range"; sep = ","
+
self.log_list.append([self.audit_fd, audit.AUDIT_ROLE_ASSIGN, sys.argv[0], str(msg), name, 0, sename, serole, serange, oldsename, oldserole, oldserange, "", "", ""])
def log_remove(self, msg, name = "", sename = "", serole = "", serange = "", oldsename = "", oldserole = "", oldserange = ""):
@@ -194,6 +203,7 @@ class semanageRecords:
def __init__(self, store):
global handle
+ self.sh = self.get_handle(store)
rc, localstore = selinux.selinux_getpolicytype()
if store == "" or store == localstore:
@@ -201,43 +211,41 @@ class semanageRecords:
else:
self.mylog = nulllogger()
- self.sh = self.get_handle(store)
-
def get_handle(self, store):
- global is_mls_enabled
+ global is_mls_enabled
- if semanageRecords.handle:
- return semanageRecords.handle
+ if semanageRecords.handle:
+ return semanageRecords.handle
- handle = semanage_handle_create()
- if not handle:
- raise ValueError(_("Could not create semanage handle"))
+ handle = semanage_handle_create()
+ if not handle:
+ raise ValueError(_("Could not create semanage handle"))
- if not semanageRecords.transaction and store != "":
- semanage_select_store(handle, store, SEMANAGE_CON_DIRECT);
- semanageRecords.store = store
+ if not semanageRecords.transaction and store != "":
+ semanage_select_store(handle, store, SEMANAGE_CON_DIRECT);
+ semanageRecords.store = store
- if not semanage_is_managed(handle):
- semanage_handle_destroy(handle)
- raise ValueError(_("SELinux policy is not managed or store cannot be accessed."))
+ if not semanage_is_managed(handle):
+ semanage_handle_destroy(handle)
+ raise ValueError(_("SELinux policy is not managed or store cannot be accessed."))
- rc = semanage_access_check(handle)
- if rc < SEMANAGE_CAN_READ:
- semanage_handle_destroy(handle)
- raise ValueError(_("Cannot read policy store."))
+ rc = semanage_access_check(handle)
+ if rc < SEMANAGE_CAN_READ:
+ semanage_handle_destroy(handle)
+ raise ValueError(_("Cannot read policy store."))
- rc = semanage_connect(handle)
- if rc < 0:
- semanage_handle_destroy(handle)
- raise ValueError(_("Could not establish semanage connection"))
+ rc = semanage_connect(handle)
+ if rc < 0:
+ semanage_handle_destroy(handle)
+ raise ValueError(_("Could not establish semanage connection"))
- is_mls_enabled = semanage_mls_enabled(handle)
- if is_mls_enabled < 0:
- semanage_handle_destroy(handle)
- raise ValueError(_("Could not test MLS enabled status"))
+ is_mls_enabled = semanage_mls_enabled(handle)
+ if is_mls_enabled < 0:
+ semanage_handle_destroy(handle)
+ raise ValueError(_("Could not test MLS enabled status"))
- semanageRecords.handle = handle
- return semanageRecords.handle
+ semanageRecords.handle = handle
+ return semanageRecords.handle
def deleteall(self):
raise ValueError(_("Not yet implemented"))
@@ -511,7 +519,7 @@ class loginRecords(semanageRecords):
semanage_seuser_key_free(k)
semanage_seuser_free(u)
- self.mylog.log("login-seuser", name, sename=sename, serange=serange, serole=",".join(serole), oldserole=",".join(oldserole), oldsename=self.oldsename, oldserange=self.oldserange);
+ self.mylog.log("login", name, sename=sename, serange=serange, serole=",".join(serole), oldserole=",".join(oldserole), oldsename=self.oldsename, oldserange=self.oldserange);
def add(self, name, sename, serange):
try:
@@ -570,8 +578,7 @@ class loginRecords(semanageRecords):
semanage_seuser_key_free(k)
semanage_seuser_free(u)
-
- self.mylog.log("login-seuser", name,sename=self.sename,serange=self.serange, serole=",".join(serole), oldserole=",".join(oldserole), oldsename=self.oldsename, oldserange=self.oldserange);
+ self.mylog.log("login", name,sename=self.sename,serange=self.serange, serole=",".join(serole), oldserole=",".join(oldserole), oldsename=self.oldsename, oldserange=self.oldserange);
def modify(self, name, sename = "", serange = ""):
try:
@@ -612,7 +619,7 @@ class loginRecords(semanageRecords):
rec, self.sename, self.serange = selinux.getseuserbyname("__default__")
range, (rc, serole) = userrec.get(self.sename)
- self.mylog.log_remove("login-seuser", name, sename=self.sename, serange=self.serange, serole=",".join(serole), oldserole=",".join(oldserole), oldsename=self.oldsename, oldserange=self.oldserange);
+ self.mylog.log_remove("login", name, sename=self.sename, serange=self.serange, serole=",".join(serole), oldserole=",".join(oldserole), oldsename=self.oldsename, oldserange=self.oldserange);
def delete(self, name):
try:
--
1.7.9.3
