diff options
| author | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2015-02-23 20:06:00 -0500 |
|---|---|---|
| committer | Zbigniew Jędrzejewski-Szmek <zbyszek@in.waw.pl> | 2015-04-14 21:47:20 -0400 |
| commit | 17af49f24812a6dd1b3f0732e33ea5dae9e32b29 (patch) | |
| tree | 630b21237bf041619345f74c29aa0e5a956a6006 | |
| parent | 40acc203c043fd419f3c045dc6f116c3a28411d8 (diff) | |
selinux: use different log priorites for log messages
When selinux calls our callback with a log message, it specifies the
type as AVC or INFO/WARNING/ERROR. The question is how to map this to
audit types and/or log priorities. SELINUX_AVC maps to AUDIT_USER_AVC
reasonably, but for the other messages we have no idea, hence we use
AUDIT_USER_AVC for everything. When not using audit logging, we can
map those selinux levels to LOG_INFO/WARNING/ERROR etc.
Also update comment which was not valid anymore in light of journald
sucking in audit logs, and was actually wrong from the beginning —
libselinux uses the callback for everything, not just avcs.
This stemmed out of https://bugzilla.redhat.com/show_bug.cgi?id=1195330,
but does not solve it.
| -rw-r--r-- | src/core/selinux-access.c | 31 |
1 files changed, 24 insertions, 7 deletions
diff --git a/src/core/selinux-access.c b/src/core/selinux-access.c index a8c9a4b888..7058b7802d 100644 --- a/src/core/selinux-access.c +++ b/src/core/selinux-access.c @@ -80,17 +80,33 @@ static int audit_callback( return 0; } +static int callback_type_to_priority(int type) { + switch(type) { + case SELINUX_ERROR: return LOG_ERR; + case SELINUX_WARNING: return LOG_WARNING; + case SELINUX_INFO: return LOG_INFO; + case SELINUX_AVC: + default: return LOG_NOTICE; + } +} + /* - Any time an access gets denied this callback will be called - code copied from dbus. If audit is turned on the messages will go as - user_avc's into the /var/log/audit/audit.log, otherwise they will be - sent to syslog. + libselinux uses this callback when access gets denied or other + events happen. If audit is turned on, messages will be reported + using audit netlink, otherwise they will be logged using the usual + channels. + + Code copied from dbus and modified. */ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) { va_list ap; #ifdef HAVE_AUDIT - if (get_audit_fd() >= 0) { + int fd; + + fd = get_audit_fd(); + + if (fd >= 0) { _cleanup_free_ char *buf = NULL; int r; @@ -99,14 +115,15 @@ _printf_(2, 3) static int log_callback(int type, const char *fmt, ...) { va_end(ap); if (r >= 0) { - audit_log_user_avc_message(get_audit_fd(), AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0); + audit_log_user_avc_message(fd, AUDIT_USER_AVC, buf, NULL, NULL, NULL, 0); return 0; } } #endif va_start(ap, fmt); - log_internalv(LOG_AUTH | LOG_INFO, 0, __FILE__, __LINE__, __FUNCTION__, fmt, ap); + log_internalv(LOG_AUTH | callback_type_to_priority(type), + 0, __FILE__, __LINE__, __FUNCTION__, fmt, ap); va_end(ap); return 0; |