Currently we handle adding audit records with semanage command in pocliycoreutils.

Daniel J Walsh <dwalsh@xxxxxxxxxx> · Fri, 26 Jul 2013 17:32:40 -0400

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

The problem is useradd is not calling libsemanage functions directly, this
patch moves the audit record calls into libsemanage.


-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.13 (GNU/Linux)
Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/

iEYEARECAAYFAlHy6vgACgkQrlYvE4MpobNx1wCgyyRY7vs3HlQYpHVZAZUSIijq
p8cAniXvcKVQU3ahCiS9mAf+fM8oB+Zv
=9OtP
-----END PGP SIGNATURE-----
>From e8d9920cbcfd5427e6260b73bc63bf704e546e98 Mon Sep 17 00:00:00 2001
From: Dan Walsh <dwalsh@xxxxxxxxxx>
Date: Fri, 26 Jul 2013 16:20:33 -0400
Subject: [PATCH 44/45] Move handling of role audit messages into libsemanage

---
 libsemanage/src/Makefile        |  2 +-
 libsemanage/src/seusers_local.c | 98 +++++++++++++++++++++++++++++++++++++++--
 2 files changed, 95 insertions(+), 5 deletions(-)

diff --git a/libsemanage/src/Makefile b/libsemanage/src/Makefile
index c63bb22..edb84cc 100644
--- a/libsemanage/src/Makefile
+++ b/libsemanage/src/Makefile
@@ -92,7 +92,7 @@ $(LIBA): $(OBJS)
 	$(RANLIB) $@
 
 $(LIBSO): $(LOBJS)
-	$(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lsepol -lselinux -lbz2 -lustr -L$(LIBDIR) -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs
+	$(CC) $(CFLAGS) $(LDFLAGS) -shared -o $@ $^ -lsepol -laudit -lselinux -lbz2 -lustr -L$(LIBDIR) -Wl,-soname,$(LIBSO),--version-script=libsemanage.map,-z,defs
 	ln -sf $@ $(TARGET)
 
 $(LIBPC): $(LIBPC).in ../VERSION
diff --git a/libsemanage/src/seusers_local.c b/libsemanage/src/seusers_local.c
index e7cf12c..ed0af21 100644
--- a/libsemanage/src/seusers_local.c
+++ b/libsemanage/src/seusers_local.c
@@ -8,27 +8,117 @@ typedef struct semanage_seuser record_t;
 
 #include <sepol/policydb.h>
 #include <sepol/context.h>
+#include <libaudit.h>
+#include <errno.h>
 #include "user_internal.h"
 #include "seuser_internal.h"
 #include "handle.h"
 #include "database.h"
 #include "debug.h"
+#include "string.h"
+#include <stdlib.h>
+
+static char *semanage_user_roles(semanage_handle_t * handle, const char *sename) {
+	char *roles = NULL;
+	unsigned int num_roles;
+	size_t i;
+	size_t size = 0;
+	const char **roles_arr;
+	semanage_user_key_t *key = NULL;
+	semanage_user_t * user;
+	if (semanage_user_key_create(handle, sename, &key) >= 0) {
+		if (semanage_user_query(handle, key, &user) >= 0) {
+			if (semanage_user_get_roles(handle, 
+						    user, 
+						    &roles_arr, 
+						    &num_roles) >= 0) {
+				for (i = 0; i<num_roles; i++) {
+					size += (strlen(roles_arr[i]) + 1);
+				}
+				roles = malloc(size);
+				if (roles) {
+					strcpy(roles,roles_arr[0]);
+					for (i = 1; i<num_roles; i++) {
+						strcat(roles,",");
+						strcat(roles,roles_arr[0]);
+					}
+				}
+			}
+			semanage_user_free(user);
+		}
+		semanage_user_key_free(key);
+	}
+	return roles;
+}
+
+static int semanage_seuser_audit(semanage_handle_t * handle,
+			  const semanage_seuser_t * seuser, 
+			  const semanage_seuser_t * previous,
+			  int audit_type, 
+			  int success) {
+	const char *name = NULL;
+	const char *sename = NULL;
+	char *roles = NULL;
+	const char *mls = NULL;
+	const char *psename = NULL;
+	const char *pmls = NULL;
+	char *proles = NULL;
+	if (seuser) {
+		name = semanage_seuser_get_name(seuser);
+		sename = semanage_seuser_get_sename(seuser);
+		mls = semanage_seuser_get_mlsrange(seuser);
+		roles = semanage_user_roles(handle, sename);
+	}
+	if (previous) {
+		psename = semanage_seuser_get_sename(previous);
+		pmls = semanage_seuser_get_mlsrange(previous);
+		proles = semanage_user_roles(handle, psename);
+	}
+
+	int fd = audit_open();
+	if (fd < 0)
+	{
+		/* If kernel doesn't support audit, bail out */
+		if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT)
+			return 0;
+		return fd;
+	}
+	audit_log_semanage_message(fd, audit_type, NULL, NULL, name, 0, sename, roles, mls, psename, proles, pmls, NULL, NULL,NULL, success);
+	audit_close(fd);
+	free(roles);
+	free(proles);
+	return 0;
+}
 
 int semanage_seuser_modify_local(semanage_handle_t * handle,
 				 const semanage_seuser_key_t * key,
 				 const semanage_seuser_t * data)
 {
-
+	int rc;
 	dbase_config_t *dconfig = semanage_seuser_dbase_local(handle);
-	return dbase_modify(handle, dconfig, key, data);
+	semanage_seuser_t *previous = NULL;
+	semanage_seuser_query(handle, key, &previous);
+	rc = dbase_modify(handle, dconfig, key, data);
+	if (semanage_seuser_audit(handle, data, previous, AUDIT_ROLE_ASSIGN, rc == 0) < 0) 
+		rc = -1;
+	if (previous)
+		semanage_seuser_free(previous);
+	return rc;
 }
 
 int semanage_seuser_del_local(semanage_handle_t * handle,
 			      const semanage_seuser_key_t * key)
 {
-
+	int rc;
+	semanage_seuser_t *seuser = NULL;
 	dbase_config_t *dconfig = semanage_seuser_dbase_local(handle);
-	return dbase_del(handle, dconfig, key);
+	rc = dbase_del(handle, dconfig, key);
+	semanage_seuser_query(handle, key, &seuser);
+	if (semanage_seuser_audit(handle, NULL, seuser, AUDIT_ROLE_REMOVE, rc == 0) < 0) 
+		rc = -1;
+	if (seuser)
+		semanage_seuser_free(seuser);
+	return rc;
 }
 
 int semanage_seuser_query_local(semanage_handle_t * handle,
-- 
1.8.3.1





