[PATCH] Audit: do not print error when SELinux disabled
Paul Moore
paul at paul-moore.com
Tue Oct 23 15:46:02 UTC 2012
On Tuesday, October 23, 2012 08:58:35 AM Eric Paris wrote:
> RHBZ: 785936
> About to be posted upstream
>
> If the audit system collects a record about one process sending a signal
> to another process it includes in that collection the 'secid' or 'an int
> used to represet an SELinux label.' If SELinux is disabled it will
> collect a 0. The problem is that when we attempt to print that record
> we ask the LSM to convert the secid back to a string. Since there is no
> LSM it returns EOPNOTSUPP.
>
> Most code in the audit system checks if the secid is 0 and does not
> print LSM info in that case. The signal information code however forgot
> that check. Thus users will see a message in syslog indicating that
> converting the sid to string failed. Add the right check.
>
> Signed-off-by: Eric Paris <eparis at redhat.com>
Looks good to me.
Reviewed-by: Paul Moore <paul at paul-moore.com>
> ---
>
> diff --git a/kernel/auditsc.c b/kernel/auditsc.c
> index 857f2e2..1f5cc03 100644
> --- a/kernel/auditsc.c
> +++ b/kernel/auditsc.c
> @@ -1195,12 +1195,14 @@ static int audit_log_pid_context(struct
> audit_context *context, pid_t pid,
>
> audit_log_format(ab, "opid=%d oauid=%d ouid=%d oses=%d", pid, auid,
> uid, sessionid);
> - if (security_secid_to_secctx(sid, &ctx, &len)) {
> - audit_log_format(ab, " obj=(none)");
> - rc = 1;
> - } else {
> - audit_log_format(ab, " obj=%s", ctx);
> - security_release_secctx(ctx, len);
> + if (sid) {
> + if (security_secid_to_secctx(sid, &ctx, &len)) {
> + audit_log_format(ab, " obj=(none)");
> + rc = 1;
> + } else {
> + audit_log_format(ab, " obj=%s", ctx);
> + security_release_secctx(ctx, len);
> + }
> }
> audit_log_format(ab, " ocomm=");
> audit_log_untrustedstring(ab, comm);
--
paul moore
www.paul-moore.com
More information about the Linux-audit
mailing list