summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2015-02-23 20:06:00 -0500
committerZbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl>2015-04-14 21:47:20 -0400
commit17af49f24812a6dd1b3f0732e33ea5dae9e32b29 (patch)
tree630b21237bf041619345f74c29aa0e5a956a6006
parent40acc203c043fd419f3c045dc6f116c3a28411d8 (diff)
selinux: use different log priorites for log messages
When selinux calls our callback with a log message, it specifies the type as AVC or INFO/WARNING/ERROR. The question is how to map this to audit types and/or log priorities. SELINUX_AVC maps to AUDIT_USER_AVC reasonably, but for the other messages we have no idea, hence we use AUDIT_USER_AVC for everything. When not using audit logging, we can map those selinux levels to LOG_INFO/WARNING/ERROR etc. Also update comment which was not valid anymore in light of journald sucking in audit logs, and was actually wrong from the beginning — libselinux uses the callback for everything, not just avcs. This stemmed out of https://bugzilla.redhat.com/show_bug.cgi?id=1195330, but does not solve it.
-rw-r--r--src/core/selinux-access.c31
1 files changed, 24 insertions, 7 deletions
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c
index a8c9a4b888..7058b7802d 100644
--- a/src/core/selinux-access.c
+++ b/src/core/selinux-access.c
@@ -80,17 +80,33 @@ static int audit_callback(
return 0;
}
+static int callback_type_to_priority(int type) {
+ switch(type) {
+ case SELINUX_ERROR: return LOG_ERR;
+ case SELINUX_WARNING: return LOG_WARNING;
+ case SELINUX_INFO: return LOG_INFO;
+ case SELINUX_AVC:
+ default: return LOG_NOTICE;
+ }
+}
+
/*
- Any time an access gets denied this callback will be called
- code copied from dbus. If audit is turned on the messages will go as
- user_avc's into the /var/log/audit/audit.log, otherwise they will be
- sent to syslog.
+ libselinux uses this callback when access gets denied or other
+ events happen. If audit is turned on, messages will be reported
+ using audit netlink, otherwise they will be logged using the usual
+ channels.
+
+ Code copied from dbus and modified.
*/
_printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
va_list ap;
#ifdef HAVE_AUDIT
- if (get_audit_fd() >= 0) {
+ int fd;
+
+ fd = get_audit_fd();
+
+ if (fd >= 0) {
_cleanup_free_ char *buf = NULL;
int r;
@@ -99,14 +115,15 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) {
va_end(ap);
if (r >= 0) {
- audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
+ audit_log_user_avc_message(fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0);
return 0;
}
}
#endif
va_start(ap, fmt);
- log_internalv(LOG_AUTH | LOG_INFO, 0, __FILE__, __LINE__, __FUNCTION__, fmt, ap);
+ log_internalv(LOG_AUTH | callback_type_to_priority(type),
+ 0, __FILE__, __LINE__, __FUNCTION__, fmt, ap);
va_end(ap);
return 0;