Re: [PATCH] semanage: correct fcontext auditing

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 08/12/2016 03:57 PM, Miroslav Vadkerti wrote:
> For modify action actually audit the selinux type, i.e. use setype
> variable.
> 
> For deleting equal fcontext rules do not audit ftype, as the ftype value
> for equal rules makes little sense.
> 
> Signed-off-by: Miroslav Vadkerti <mvadkert@xxxxxxxxxx>
> ---
>  policycoreutils/semanage/seobject.py | 4 ++--
>  1 file changed, 2 insertions(+), 2 deletions(-)
> 
> diff --git a/policycoreutils/semanage/seobject.py b/policycoreutils/semanage/seobject.py
> index 786ed0e..8d3088c 100644
> --- a/policycoreutils/semanage/seobject.py
> +++ b/policycoreutils/semanage/seobject.py
> @@ -1992,7 +1992,7 @@ class fcontextRecords(semanageRecords):
>          if not seuser:
>              seuser = "system_u"

system_u is reference policy specific. this is selinux user space not
reference policy user space.

>  
> -        self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", type, serange))
> +        self.mylog.log_change("resrc=fcontext op=modify %s ftype=%s tcontext=%s:%s:%s:%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype], seuser, "object_r", setype, serange))
>  
>      def modify(self, target, setype, ftype, serange, seuser):
>          self.begin()
> @@ -2030,7 +2030,7 @@ class fcontextRecords(semanageRecords):
>              self.equiv.pop(target)
>              self.equal_ind = True
>  
> -            self.mylog.log_change("resrc=fcontext op=delete-equal %s ftype=%s" % (audit.audit_encode_nv_string("tglob", target, 0), ftype_to_audit[ftype]))
> +            self.mylog.log_change("resrc=fcontext op=delete-equal %s" % (audit.audit_encode_nv_string("tglob", target, 0)))
>  
>              return
>  
> 


-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02
Dominick Grift

Attachment: signature.asc
Description: OpenPGP digital signature

_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux