On Wed, Apr 11, 2018 at 5:08 PM, Paul Moore <paul@xxxxxxxxxxxxxx> wrote: > On Mon, Apr 9, 2018 at 7:34 PM, Richard Guy Briggs <rgb@xxxxxxxxxx> wrote: >> There were two formats of the audit MAC_STATUS record, one of which was more >> standard than the other. One listed enforcing status changes and the >> other listed enabled status changes with a non-standard label. In >> addition, the record was missing information about which LSM was >> responsible and the operation's completion status. While this record is >> only issued on success, the parser expects the res= field to be present. >> >> old enforcing/permissive: >> type=MAC_STATUS msg=audit(1523312831.378:24514): enforcing=0 old_enforcing=1 auid=0 ses=1 >> old enable/disable: >> type=MAC_STATUS msg=audit(1523312831.378:24514): selinux=0 auid=0 ses=1 >> >> List both sets of status and old values and add the lsm= field and the >> res= field. >> >> Here is the new format: >> type=MAC_STATUS msg=audit(1523293828.657:891): enforcing=0 old_enforcing=1 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1 >> >> This record already accompanied a SYSCALL record. >> >> See: https://github.com/linux-audit/audit-kernel/issues/46 >> Signed-off-by: Richard Guy Briggs <rgb@xxxxxxxxxx> >> --- >> security/selinux/selinuxfs.c | 11 +++++++---- >> 1 file changed, 7 insertions(+), 4 deletions(-) >> >> diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c >> index 00eed84..00b21b2 100644 >> --- a/security/selinux/selinuxfs.c >> +++ b/security/selinux/selinuxfs.c >> @@ -145,10 +145,11 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf, >> if (length) >> goto out; >> audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS, >> - "enforcing=%d old_enforcing=%d auid=%u ses=%u", >> + "enforcing=%d old_enforcing=%d auid=%u ses=%u" >> + " enabled=%d old-enabled=%d lsm=selinux res=1", >> new_value, selinux_enforcing, >> from_kuid(&init_user_ns, audit_get_loginuid(current)), >> - audit_get_sessionid(current)); >> + audit_get_sessionid(current), selinux_enabled, selinux_enabled); > > This looks fine. > >> selinux_enforcing = new_value; >> if (selinux_enforcing) >> avc_ss_reset(0); >> @@ -272,9 +273,11 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf, >> if (length) >> goto out; >> audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS, >> - "selinux=0 auid=%u ses=%u", >> + "enforcing=%d old_enforcing=%d auid=%u ses=%u" >> + " enabled=%d old-enabled=%d lsm=selinux res=1", >> + selinux_enforcing, selinux_enforcing, >> from_kuid(&init_user_ns, audit_get_loginuid(current)), >> - audit_get_sessionid(current)); >> + audit_get_sessionid(current), 0, 1); > > It needs to be said again that I'm opposed to changes like this: > inserting new fields, removing fields, or otherwise changing the > format in ways that aren't strictly the addition of new fields to the > end of a record is a Bad Thing. However, there are exceptions (there > are *always* exceptions), and this seems like a reasonable change that > shouldn't negatively affect anyone. > > I'll merge this once the merge window comes to a close (we are going > to need to base selinux/next on v4.17-rc1). Merged into selinux/next, although I should mention that there were some actual code changes because of the SELinux state consolidation patches that went into v4.17. The changes were small but please take a look and make sure everything still looks okay to you. >> } >> >> length = count; >> -- >> 1.8.3.1 -- paul moore www.paul-moore.com
