I put up a PR for dbus-broker to revise its auditing: https://github.com/bus1/dbus-broker/pull/240 Steve Grubb mentioned that there wasn't much useful info in terms of the audit message itself, since it isn't key:value pairs. I'm looking to revise the avc_log() messages for SELINUX_ERROR, SELINUX_SETENFORCE, and SELINUX_POLICYLOAD messages such that they more closely reseble the kernel audits. *This patch is _incomplete*; I implemented a few changes to get early feedback on the direction I'm taking. What seems potentially contentious is the 'lsm=selinux_uavc' and op= choices. Signed-off-by: Chris PeBenito <chpebeni@xxxxxxxxxxxxxxxxxxx> --- libselinux/src/avc_internal.c | 12 ++++++------ 1 file changed, 6 insertions(+), 6 deletions(-) diff --git a/libselinux/src/avc_internal.c b/libselinux/src/avc_internal.c index 572b2159..35ea59b6 100644 --- a/libselinux/src/avc_internal.c +++ b/libselinux/src/avc_internal.c @@ -59,14 +59,14 @@ int avc_process_setenforce(int enforcing) int rc = 0; avc_log(SELINUX_SETENFORCE, - "%s: received setenforce notice (enforcing=%d)\n", + "%s: op=setenforce lsm=selinux_uavc enforcing=%d res=1", avc_prefix, enforcing); if (avc_setenforce) goto out; avc_enforcing = enforcing; if (avc_enforcing && (rc = avc_ss_reset(0)) < 0) { avc_log(SELINUX_ERROR, - "%s: cache reset returned %d (errno %d)\n", + "%s: op=cache_reset lsm=selinux_uavc rc=%d errno=%d res=0", avc_prefix, rc, errno); return rc; } @@ -81,12 +81,12 @@ int avc_process_policyload(uint32_t seqno) int rc = 0; avc_log(SELINUX_POLICYLOAD, - "%s: received policyload notice (seqno=%u)\n", + "%s: op=load_policy lsm=selinux_uavc seqno=%u res=1", avc_prefix, seqno); rc = avc_ss_reset(seqno); if (rc < 0) { avc_log(SELINUX_ERROR, - "%s: cache reset returned %d (errno %d)\n", + "%s: op=cache_reset lsm=selinux_uavc rc=%d errno=%d res=0", avc_prefix, rc, errno); return rc; } @@ -157,7 +157,7 @@ static int avc_netlink_receive(void *buf, unsigned buflen, int blocking) return -1; } else if (rc < 1) { - avc_log(SELINUX_ERROR, "%s: netlink poll: error %d\n", + avc_log(SELINUX_ERROR, "%s: op=netlink_poll lsm=selinux_uavc errno=%d res=0", avc_prefix, errno); return rc; } @@ -214,7 +214,7 @@ static int avc_netlink_process(void *buf) errno = -err->error; avc_log(SELINUX_ERROR, - "%s: netlink error: %d\n", avc_prefix, errno); + "%s: op=netlink_msgtype lsm=selinux_uavc errno=%d res=0", avc_prefix, errno); return -1; } -- 2.26.2