On 8/26/20 10:46 AM, Stephen Smalley wrote:
On Wed, Aug 26, 2020 at 10:35 AM Chris PeBenito
<chpebeni@xxxxxxxxxxxxxxxxxxx> wrote:
On 8/26/20 9:25 AM, Chris PeBenito wrote:
I was looking into this dbus-broker audit message, which has the wrong audit type:
audit[422]: USER_AVC pid=422 uid=999 auid=4294967295 ses=4294967295
subj=system_u:system_r:system_dbusd_t msg='avc: received policyload notice
(seqno=2)
This is due to dbus-broker setting their avc log callback to send USER_AVC audit
messages for everything that comes to the libselinux log callback. I think the
right thing to do there is to change it to emit USER_SELINUX_ERR audit messages
if the log message is SELINUX_ERROR, otherwise log the message using their
regular method (stderr I think).
But the question became, why is the userspace AVC not simply emitting its own
USER_MAC_POLICY_LOAD audit message instead of sending a message to the log
callback?
Ok, I missed that there is a SELINUX_AVC log type and that's how the userspace
denial messages are sent out. How about adding SELINUX_POLICYLOAD and
SELINUX_ENFORCE log types so that callers can emit appropriate audit messages?
Do we need two different new types or just one? Otherwise, I don't
have a problem with adding new ones as long as it doesn't break
existing applications.
Perhaps just the policyload. There is a USER_MAC_POLICY_LOAD audit type which
made me think of adding the SELINUX_POLICYLOAD type to the logging callback.
There is the log message after processing the setenforce, but there isn't
currently a corresponding USER_MAC_STATUS audit message type. It seems like it
is justifiable to have a USER_MAC_STATUS audit message for consistency, but I'm
not sure how much value it provides.
--
Chris PeBenito