[DPKG PATCH] selinux: install log callback to filter messages

Christian Göttsche <cgzones@xxxxxxxxxxxxxx> · Tue, 11 Oct 2022 18:07:00 +0200

Since libselinux 3.2, via commit 05bdc03130d7 ("libselinux: use kernel
status page by default") [1], selinux_status_updated(3) will issue log
messages on enforcing changes and policy loads.  dpkg is only interested
in whether the policy changed to then reload the SELinux label database.

Ignore non-relevant log messages and forward messages of type error,
warning and avc (which should be treated as error if not audited
according to selinux_set_callback(3)).

Example (the missing newline is a libselinux bug [2]):

    Unpacking valgrind-dbg (1:3.19.0-1) ...                                                                                                │
    uavc:  op=setenforce lsm=selinux enforcing=0 res=1Preparing to unpack .../vnstati_2.9-1_amd64.deb ...

See also https://github.com/rpm-software-management/rpm/pull/2201

[1]: https://github.com/SELinuxProject/selinux/commit/05bdc03130d741e53e1fb45a958d0a2c184be503
[2]: https://lore.kernel.org/selinux/20221011112733.194079-1-plautrba@xxxxxxxxxx/
---
 src/common/selinux.c | 31 ++++++++++++++++++++++++++++---
 1 file changed, 28 insertions(+), 3 deletions(-)

diff --git a/src/common/selinux.c b/src/common/selinux.c
index 07f87a3dd..c123fb924 100644
--- a/src/common/selinux.c
+++ b/src/common/selinux.c
@@ -44,6 +44,33 @@
 static struct selabel_handle *sehandle;
 #endif
 
+#ifdef WITH_LIBSELINUX
+DPKG_ATTR_PRINTF(2)
+static int log_callback(int type, const char *fmt, ...)
+{
+	char *msg;
+	va_list ap;
+
+	switch (type) {
+	case SELINUX_ERROR:
+	case SELINUX_WARNING:
+	case SELINUX_AVC:
+		break;
+	default:
+		return 0;
+	}
+
+	va_start(ap, fmt);
+	m_vasprintf(&msg, fmt, ap);
+	va_end(ap);
+
+	warning("libselinux:  %s", msg);
+	free(msg);
+
+	return 0;
+}
+#endif
+
 void
 dpkg_selabel_load(void)
 {
@@ -65,9 +92,7 @@ dpkg_selabel_load(void)
 		if (rc < 0)
 			ohshit(_("cannot open security status notification channel"));
 
-		/* XXX: We could use selinux_set_callback() to redirect the
-		 * errors from the other SELinux calls, but that does not seem
-		 * worth it right now. */
+		selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) { .func_log = log_callback });
 	} else if (selinux_enabled && selinux_status_updated()) {
 		/* The SELinux policy got updated in the kernel, usually after
 		 * upgrading the package shipping it, we need to reload. */
-- 
2.37.2







