This will enable userspace object managers to send proper audits for policy loads and setenforce messages generated by the userspace AVC code. Signed-off-by: Chris PeBenito <chpebeni@xxxxxxxxxxxxxxxxxxx> --- libselinux/include/selinux/selinux.h | 2 ++ libselinux/man/man3/selinux_set_callback.3 | 5 +++++ libselinux/src/avc_internal.c | 4 ++-- 3 files changed, 9 insertions(+), 2 deletions(-) diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h index c22834e5..ae98a92e 100644 --- a/libselinux/include/selinux/selinux.h +++ b/libselinux/include/selinux/selinux.h @@ -182,6 +182,8 @@ extern void selinux_set_callback(int type, union selinux_callback cb); #define SELINUX_WARNING 1 #define SELINUX_INFO 2 #define SELINUX_AVC 3 +#define SELINUX_POLICYLOAD 4 +#define SELINUX_SETENFORCE 5 #define SELINUX_TRANS_DIR "/var/run/setrans" /* Compute an access decision. */ diff --git a/libselinux/man/man3/selinux_set_callback.3 b/libselinux/man/man3/selinux_set_callback.3 index a4c613ad..6dfe5ff6 100644 --- a/libselinux/man/man3/selinux_set_callback.3 +++ b/libselinux/man/man3/selinux_set_callback.3 @@ -46,6 +46,11 @@ argument indicates the type of message and will be set to one of the following: .B SELINUX_INFO .B SELINUX_AVC + +.B SELINUX_POLICYLOAD + +.B SELINUX_SETENFORCE + . .TP .B SELINUX_CB_AUDIT diff --git a/libselinux/src/avc_internal.c b/libselinux/src/avc_internal.c index 4ef92452..572b2159 100644 --- a/libselinux/src/avc_internal.c +++ b/libselinux/src/avc_internal.c @@ -58,7 +58,7 @@ int avc_process_setenforce(int enforcing) { int rc = 0; - avc_log(SELINUX_INFO, + avc_log(SELINUX_SETENFORCE, "%s: received setenforce notice (enforcing=%d)\n", avc_prefix, enforcing); if (avc_setenforce) @@ -80,7 +80,7 @@ int avc_process_policyload(uint32_t seqno) { int rc = 0; - avc_log(SELINUX_INFO, + avc_log(SELINUX_POLICYLOAD, "%s: received policyload notice (seqno=%u)\n", avc_prefix, seqno); rc = avc_ss_reset(seqno); -- 2.26.2