On Wed, Aug 26, 2020 at 10:35 AM Chris PeBenito <chpebeni@xxxxxxxxxxxxxxxxxxx> wrote: > > On 8/26/20 9:25 AM, Chris PeBenito wrote: > > I was looking into this dbus-broker audit message, which has the wrong audit type: > > > > audit[422]: USER_AVC pid=422 uid=999 auid=4294967295 ses=4294967295 > > subj=system_u:system_r:system_dbusd_t msg='avc: received policyload notice > > (seqno=2) > > > > This is due to dbus-broker setting their avc log callback to send USER_AVC audit > > messages for everything that comes to the libselinux log callback. I think the > > right thing to do there is to change it to emit USER_SELINUX_ERR audit messages > > if the log message is SELINUX_ERROR, otherwise log the message using their > > regular method (stderr I think). > > > > But the question became, why is the userspace AVC not simply emitting its own > > USER_MAC_POLICY_LOAD audit message instead of sending a message to the log > > callback? > > Ok, I missed that there is a SELINUX_AVC log type and that's how the userspace > denial messages are sent out. How about adding SELINUX_POLICYLOAD and > SELINUX_ENFORCE log types so that callers can emit appropriate audit messages? Do we need two different new types or just one? Otherwise, I don't have a problem with adding new ones as long as it doesn't break existing applications.
