Re: [PATCH] libselinux: avoid newline in avc message

James Carter <jwcart2@xxxxxxxxx> · Wed, 10 Aug 2022 11:33:35 -0400



On Mon, Aug 8, 2022 at 1:36 PM Christian Göttsche
<cgzones@xxxxxxxxxxxxxx> wrote:
>
> Do not add a final newline to the avc log message as it will be treated
> as a part of the tclass field in final audit record:
>
>     {
>         "AUDIT_FIELD_EXE" : "/usr/bin/dbus-broker",
>         "_UID" : "104",
>         "_AUDIT_SESSION" : "4294967295",
>         "_TRANSPORT" : "audit",
>         "__REALTIME_TIMESTAMP" : "1659975331468531",
>         "_AUDIT_TYPE" : "1107",
>         "AUDIT_FIELD_SCONTEXT" : "system_u:system_r:systemd_t:s0",
>         "_AUDIT_LOGINUID" : "4294967295",
>         "_SELINUX_CONTEXT" : "system_u:system_r:system_dbusd_t:s0-s0:c0.c1023",
>         "AUDIT_FIELD_SAUID" : "104",
>         "MESSAGE" : "USER_AVC pid=1538 uid=104 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  granted  { send_msg } for  scontext=system_u:system_r:systemd_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus\n exe=\"/usr/bin/dbus-broker\" sauid=104 hostname=? addr=? terminal=?'",
>         "AUDIT_FIELD_TCONTEXT" : "system_u:system_r:systemd_logind_t:s0",
>         "_SOURCE_REALTIME_TIMESTAMP" : "1659975331462000",
>         "__MONOTONIC_TIMESTAMP" : "207995768",
>         "AUDIT_FIELD_TCLASS" : "dbus\n",
>         "AUDIT_FIELD_TERMINAL" : "?",
>         "_PID" : "1538",
>         "SYSLOG_FACILITY" : "4",
>         "_BOOT_ID" : "3921464b65f64fb4a7c037dee97cd6ad",
>         "SYSLOG_IDENTIFIER" : "audit",
>         "_MACHINE_ID" : "5d78c28f10d54c0fb7b6fd1acc6af8ff",
>         "_AUDIT_TYPE_NAME" : "USER_AVC",
>         "__CURSOR" : "s=84589ce96ff8400189fc515ff892674a;i=c38e;b=3921464b65f64fb4a7c037dee97cd6ad;m=c65c378;t=5e5bd1ff7d4f3;x=c22e610fc9b00b10",
>         "AUDIT_FIELD_ADDR" : "?",
>         "AUDIT_FIELD_HOSTNAME" : "?",
>         "_AUDIT_ID" : "1075",
>         "_HOSTNAME" : "debianBullseye"
>     }
>
> Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>

Acked-by: James Carter <jwcart2@xxxxxxxxx>

> ---
>  libselinux/src/avc.c | 1 -
>  1 file changed, 1 deletion(-)
>
> diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
> index 7493e4b2..8d5983a2 100644
> --- a/libselinux/src/avc.c
> +++ b/libselinux/src/avc.c
> @@ -725,7 +725,6 @@ void avc_audit(security_id_t ssid, security_id_t tsid,
>         if (denied)
>                 log_append(avc_audit_buf, " permissive=%u", result ? 0 : 1);
>
> -       log_append(avc_audit_buf, "\n");
>         avc_log(SELINUX_AVC, "%s", avc_audit_buf);
>
>         avc_release_lock(avc_log_lock);
> --
> 2.36.1
>