-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 The problem is useradd is not calling libsemanage functions directly, this patch moves the audit record calls into libsemanage. -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.13 (GNU/Linux) Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/ iEYEARECAAYFAlHy6vgACgkQrlYvE4MpobNx1wCgyyRY7vs3HlQYpHVZAZUSIijq p8cAniXvcKVQU3ahCiS9mAf+fM8oB+Zv =9OtP -----END PGP SIGNATURE-----
>From e8d9920cbcfd5427e6260b73bc63bf704e546e98 Mon Sep 17 00:00:00 2001 From: Dan Walsh <dwalsh@xxxxxxxxxx> Date: Fri, 26 Jul 2013 16:20:33 -0400 Subject: [PATCH 44/45] Move handling of role audit messages into libsemanage --- libsemanage/src/Makefile | 2 +- libsemanage/src/seusers_local.c | 98 +++++++++++++++++++++++++++++++++++++++-- 2 files changed, 95 insertions(+), 5 deletions(-) diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile index c63bb22..edb84cc 100644 --- a/libsemanage/src/Makefile +++ b/libsemanage/src/Makefile @@ -92,7 +92,7 @@ $(LIBA): $(OBJS) $(RANLIB) $@ $(LIBSO): $(LOBJS) - $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lsepol -lselinux -lbz2 -lustr -L$(LIBDIR) -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs + $(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lsepol -laudit -lselinux -lbz2 -lustr -L$(LIBDIR) -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs ln -sf $@ $(TARGET) $(LIBPC): $(LIBPC).in ../VERSION diff --git a/libsemanage/src/seusers_local.c b/libsemanage/src/seusers_local.c index e7cf12c..ed0af21 100644 --- a/libsemanage/src/seusers_local.c +++ b/libsemanage/src/seusers_local.c @@ -8,27 +8,117 @@ typedef struct semanage_seuser record_t; #include <sepol/policydb.h> #include <sepol/context.h> +#include <libaudit.h> +#include <errno.h> #include "user_internal.h" #include "seuser_internal.h" #include "handle.h" #include "database.h" #include "debug.h" +#include "string.h" +#include <stdlib.h> + +static char *semanage_user_roles(semanage_handle_t * handle, const char *sename) { + char *roles = NULL; + unsigned int num_roles; + size_t i; + size_t size = 0; + const char **roles_arr; + semanage_user_key_t *key = NULL; + semanage_user_t * user; + if (semanage_user_key_create(handle, sename, &key) >= 0) { + if (semanage_user_query(handle, key, &user) >= 0) { + if (semanage_user_get_roles(handle, + user, + &roles_arr, + &num_roles) >= 0) { + for (i = 0; i<num_roles; i++) { + size += (strlen(roles_arr[i]) + 1); + } + roles = malloc(size); + if (roles) { + strcpy(roles,roles_arr[0]); + for (i = 1; i<num_roles; i++) { + strcat(roles,","); + strcat(roles,roles_arr[0]); + } + } + } + semanage_user_free(user); + } + semanage_user_key_free(key); + } + return roles; +} + +static int semanage_seuser_audit(semanage_handle_t * handle, + const semanage_seuser_t * seuser, + const semanage_seuser_t * previous, + int audit_type, + int success) { + const char *name = NULL; + const char *sename = NULL; + char *roles = NULL; + const char *mls = NULL; + const char *psename = NULL; + const char *pmls = NULL; + char *proles = NULL; + if (seuser) { + name = semanage_seuser_get_name(seuser); + sename = semanage_seuser_get_sename(seuser); + mls = semanage_seuser_get_mlsrange(seuser); + roles = semanage_user_roles(handle, sename); + } + if (previous) { + psename = semanage_seuser_get_sename(previous); + pmls = semanage_seuser_get_mlsrange(previous); + proles = semanage_user_roles(handle, psename); + } + + int fd = audit_open(); + if (fd < 0) + { + /* If kernel doesn't support audit, bail out */ + if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT) + return 0; + return fd; + } + audit_log_semanage_message(fd, audit_type, NULL, NULL, name, 0, sename, roles, mls, psename, proles, pmls, NULL, NULL,NULL, success); + audit_close(fd); + free(roles); + free(proles); + return 0; +} int semanage_seuser_modify_local(semanage_handle_t * handle, const semanage_seuser_key_t * key, const semanage_seuser_t * data) { - + int rc; dbase_config_t *dconfig = semanage_seuser_dbase_local(handle); - return dbase_modify(handle, dconfig, key, data); + semanage_seuser_t *previous = NULL; + semanage_seuser_query(handle, key, &previous); + rc = dbase_modify(handle, dconfig, key, data); + if (semanage_seuser_audit(handle, data, previous, AUDIT_ROLE_ASSIGN, rc == 0) < 0) + rc = -1; + if (previous) + semanage_seuser_free(previous); + return rc; } int semanage_seuser_del_local(semanage_handle_t * handle, const semanage_seuser_key_t * key) { - + int rc; + semanage_seuser_t *seuser = NULL; dbase_config_t *dconfig = semanage_seuser_dbase_local(handle); - return dbase_del(handle, dconfig, key); + rc = dbase_del(handle, dconfig, key); + semanage_seuser_query(handle, key, &seuser); + if (semanage_seuser_audit(handle, NULL, seuser, AUDIT_ROLE_REMOVE, rc == 0) < 0) + rc = -1; + if (seuser) + semanage_seuser_free(seuser); + return rc; } int semanage_seuser_query_local(semanage_handle_t * handle, -- 1.8.3.1