Use the appropriate audit type for SELINUX_ERROR, SELINUX_POLICYLOAD and
SELINUX_SETENFORCE libselinux messages, e.g. avoid USER_SELINUX_ERR for
policy load events:
audit[980]: USER_SELINUX_ERR pid=980 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xorg_t:s0 msg='avc: op=load_policy lsm=selinux seqno=8 res=1 exe="/usr/lib/xorg/Xorg" sauid=0 hostname=? addr=? terminal=?'
Do not generate an audit event for SELINUX_WARNING messages.
Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
See upstream merge request https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/801
---
Xext/xselinux_hooks.c | 24 ++++++++++++++++++++----
1 file changed, 20 insertions(+), 4 deletions(-)
diff --git a/Xext/xselinux_hooks.c b/Xext/xselinux_hooks.c
index b9d47103a..4305ba9b4 100644
--- a/Xext/xselinux_hooks.c
+++ b/Xext/xselinux_hooks.c
@@ -301,25 +301,41 @@ SELinuxLog(int type, const char *fmt, ...)
{
va_list ap;
char buf[MAX_AUDIT_MESSAGE_LENGTH];
- int rc, aut;
+ int aut;
switch (type) {
+ case SELINUX_ERROR:
+ aut = AUDIT_USER_SELINUX_ERR;
+ break;
case SELINUX_INFO:
aut = AUDIT_USER_MAC_POLICY_LOAD;
break;
case SELINUX_AVC:
aut = AUDIT_USER_AVC;
break;
+#ifdef SELINUX_POLICYLOAD /* since libselinux 3.2 */
+ case SELINUX_POLICYLOAD:
+ aut = AUDIT_USER_MAC_POLICY_LOAD;
+ break;
+#endif
+#if defined(SELINUX_SETENFORCE) && defined(AUDIT_USER_MAC_STATUS) /* since libselinux 3.2 and audit 3.0 */
+ case SELINUX_SETENFORCE:
+ aut = AUDIT_USER_MAC_STATUS;
+ break;
+#endif
+ case SELINUX_WARNING:
default:
- aut = AUDIT_USER_SELINUX_ERR;
+ /* Do not generate an audit event, just log normally. */
+ aut = -1;
break;
}
va_start(ap, fmt);
vsnprintf(buf, MAX_AUDIT_MESSAGE_LENGTH, fmt, ap);
- rc = audit_log_user_avc_message(audit_fd, aut, buf, NULL, NULL, NULL, 0);
- (void) rc;
va_end(ap);
+
+ if (aut != -1)
+ (void) audit_log_user_avc_message(audit_fd, aut, buf, NULL, NULL, NULL, 0);
LogMessageVerb(X_WARNING, 0, "%s", buf);
return 0;
}
--
2.34.0
