On Wed, Aug 26, 2020 at 2:28 PM Chris PeBenito <chpebeni@xxxxxxxxxxxxxxxxxxx> wrote: > > On 8/26/20 10:46 AM, Stephen Smalley wrote: > > On Wed, Aug 26, 2020 at 10:35 AM Chris PeBenito > > <chpebeni@xxxxxxxxxxxxxxxxxxx> wrote: > >> > >> On 8/26/20 9:25 AM, Chris PeBenito wrote: > >>> I was looking into this dbus-broker audit message, which has the wrong audit type: > >>> > >>> audit[422]: USER_AVC pid=422 uid=999 auid=4294967295 ses=4294967295 > >>> subj=system_u:system_r:system_dbusd_t msg='avc: received policyload notice > >>> (seqno=2) > >>> > >>> This is due to dbus-broker setting their avc log callback to send USER_AVC audit > >>> messages for everything that comes to the libselinux log callback. I think the > >>> right thing to do there is to change it to emit USER_SELINUX_ERR audit messages > >>> if the log message is SELINUX_ERROR, otherwise log the message using their > >>> regular method (stderr I think). > >>> > >>> But the question became, why is the userspace AVC not simply emitting its own > >>> USER_MAC_POLICY_LOAD audit message instead of sending a message to the log > >>> callback? > >> > >> Ok, I missed that there is a SELINUX_AVC log type and that's how the userspace > >> denial messages are sent out. How about adding SELINUX_POLICYLOAD and > >> SELINUX_ENFORCE log types so that callers can emit appropriate audit messages? > > > > Do we need two different new types or just one? Otherwise, I don't > > have a problem with adding new ones as long as it doesn't break > > existing applications. > > Regarding the risk of breaking existing applications, I did some checking on > some userspace AVC users and what they do in their log callback: > > * systemd only audits SELINUX_AVC and SELINUX_ERROR messages and ignores > others(as Petr noted) > * xorg-server audits SELINUX_AVC correctly but audits SELINUX_INFO as > USER_MAC_POLICY_LOAD and everything else it ignores the type and audits as > AUDIT_USER_SELINUX_ERR > * dbus-broker ignores type and audits everything as USER_AVC > * dbus-service ignores type and audits everything as USER AVC > * pam: pam_rootok ignores type and audits everything as USER_AVC > * sepgsql custom AVC implementation (this was news to me) > * shadow-utils only audits SELINUX_AVC and SELINUX_ERROR messages and others go > to syslog > * cronie: no callback set > > That's all the ones I could think of. Which ones am I missing? Short of searching for everything that calls avc_init() or selinux_set_callback(), I don't know. Android defines a common log callback via https://android.googlesource.com/platform/external/selinux/+/refs/heads/master/libselinux/src/android/android.c#236 that funnels everything except for INFO and WARNING to its error stream. Sounds like introducing new types will do no harm with the possible exception of XSELinux and that's rarely used. Certainly won't break anything.
