On Fri, Aug 21, 2020 at 10:09 AM Thiébaud Weksteen <tweek@xxxxxxxxxx> wrote: > > From: Peter Enderborg <peter.enderborg@xxxxxxxx> > > This patch adds further attributes to the event. These attributes are > helpful to understand the context of the message and can be used > to filter the events. > > There are three common items. Source context, target context and tclass. > There are also items from the outcome of operation performed. > > An event is similar to: > <...>-1309 [002] .... 6346.691689: selinux_audited: > requested=0x4000000 denied=0x4000000 audited=0x4000000 > result=-13 > scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:bin_t:s0 tclass=file > > With systems where many denials are occurring, it is useful to apply a > filter. The filtering is a set of logic that is inserted with > the filter file. Example: > echo "tclass==\"file\" " > events/avc/selinux_audited/filter > > This adds that we only get tclass=file. > > The trace can also have extra properties. Adding the user stack > can be done with > echo 1 > options/userstacktrace > > Now the output will be > runcon-1365 [003] .... 6960.955530: selinux_audited: > requested=0x4000000 denied=0x4000000 audited=0x4000000 > result=-13 > scontext=system_u:system_r:cupsd_t:s0-s0:c0.c1023 > tcontext=system_u:object_r:bin_t:s0 tclass=file > runcon-1365 [003] .... 6960.955560: <user stack trace> > => <00007f325b4ce45b> > => <00005607093efa57> > > Signed-off-by: Peter Enderborg <peter.enderborg@xxxxxxxx> > Reviewed-by: Thiébaud Weksteen <tweek@xxxxxxxxxx> Acked-by: Stephen Smalley <stephen.smalley.work@xxxxxxxxx>
