This will enable userspace object managers to send proper audits for policy
loads and setenforce messages generated by the userspace AVC code.
Signed-off-by: Chris PeBenito <chpebeni@xxxxxxxxxxxxxxxxxxx>
---
libselinux/include/selinux/selinux.h | 2 ++
libselinux/man/man3/selinux_set_callback.3 | 5 +++++
libselinux/src/avc_internal.c | 4 ++--
3 files changed, 9 insertions(+), 2 deletions(-)
diff --git a/libselinux/include/selinux/selinux.h b/libselinux/include/selinux/selinux.h
index c22834e5..ae98a92e 100644
--- a/libselinux/include/selinux/selinux.h
+++ b/libselinux/include/selinux/selinux.h
@@ -182,6 +182,8 @@ extern void selinux_set_callback(int type, union selinux_callback cb);
#define SELINUX_WARNING 1
#define SELINUX_INFO 2
#define SELINUX_AVC 3
+#define SELINUX_POLICYLOAD 4
+#define SELINUX_SETENFORCE 5
#define SELINUX_TRANS_DIR "/var/run/setrans"
/* Compute an access decision. */
diff --git a/libselinux/man/man3/selinux_set_callback.3 b/libselinux/man/man3/selinux_set_callback.3
index a4c613ad..6dfe5ff6 100644
--- a/libselinux/man/man3/selinux_set_callback.3
+++ b/libselinux/man/man3/selinux_set_callback.3
@@ -46,6 +46,11 @@ argument indicates the type of message and will be set to one of the following:
.B SELINUX_INFO
.B SELINUX_AVC
+
+.B SELINUX_POLICYLOAD
+
+.B SELINUX_SETENFORCE
+
.
.TP
.B SELINUX_CB_AUDIT
diff --git a/libselinux/src/avc_internal.c b/libselinux/src/avc_internal.c
index 4ef92452..572b2159 100644
--- a/libselinux/src/avc_internal.c
+++ b/libselinux/src/avc_internal.c
@@ -58,7 +58,7 @@ int avc_process_setenforce(int enforcing)
{
int rc = 0;
- avc_log(SELINUX_INFO,
+ avc_log(SELINUX_SETENFORCE,
"%s: received setenforce notice (enforcing=%d)\n",
avc_prefix, enforcing);
if (avc_setenforce)
@@ -80,7 +80,7 @@ int avc_process_policyload(uint32_t seqno)
{
int rc = 0;
- avc_log(SELINUX_INFO,
+ avc_log(SELINUX_POLICYLOAD,
"%s: received policyload notice (seqno=%u)\n",
avc_prefix, seqno);
rc = avc_ss_reset(seqno);
--
2.26.2
