[redhat-lspp] [RFC AUDIT] object audit filters based on SELinux context
Darrel Goeddel
dgoeddel at trustedcs.com
Fri Jun 23 22:01:17 UTC 2006
This is the userspace patch that will allow use of the SELinux object
filters from this RFC:
https://www.redhat.com/archives/redhat-lspp/2006-June/msg00194.html
The comments about trimming and renaming things from the above mail
also apply to this patch.
lib/fieldtab.h | 5 +++++
lib/libaudit.c | 22 ++++++++++++++++------
lib/libaudit.h | 8 ++++++++
src/auditctl.c | 8 +++++---
4 files changed, 34 insertions(+), 9 deletions(-)
diff --git a/lib/fieldtab.h b/lib/fieldtab.h
index a6f3121..a747752 100644
--- a/lib/fieldtab.h
+++ b/lib/fieldtab.h
@@ -40,6 +40,11 @@ _S(AUDIT_SE_TYPE, "se_type" )
_S(AUDIT_SE_SEN, "se_sen" )
_S(AUDIT_SE_CLR, "se_clr" )
_S(AUDIT_PPID, "ppid" )
+_S(AUDIT_SE_OUSER, "se_ouser" )
+_S(AUDIT_SE_OROLE, "se_orole" )
+_S(AUDIT_SE_OTYPE, "se_otype" )
+_S(AUDIT_SE_OL1, "se_ol1" )
+_S(AUDIT_SE_OL2, "se_ol2" )
_S(AUDIT_DEVMAJOR, "devmajor" )
_S(AUDIT_DEVMINOR, "devminor" )
diff --git a/lib/libaudit.c b/lib/libaudit.c
index b61df6c..fa3bd55 100644
--- a/lib/libaudit.c
+++ b/lib/libaudit.c
@@ -826,6 +826,11 @@ int audit_rule_fieldpair(struct audit_ru
case AUDIT_SE_TYPE:
case AUDIT_SE_SEN:
case AUDIT_SE_CLR:
+ case AUDIT_SE_OUSER:
+ case AUDIT_SE_OROLE:
+ case AUDIT_SE_OTYPE:
+ case AUDIT_SE_OL1:
+ case AUDIT_SE_OL2:
case AUDIT_WATCH:
return -10;
case AUDIT_DEVMAJOR...AUDIT_SUCCESS:
@@ -946,17 +951,22 @@ int audit_rule_fieldpair_data(struct aud
else
return -8;
break;
+ case AUDIT_SE_OUSER:
+ case AUDIT_SE_OROLE:
+ case AUDIT_SE_OTYPE:
+ case AUDIT_SE_OL1:
+ case AUDIT_SE_OL2:
+ case AUDIT_WATCH:
+ /* Watches and object context filters are only valid on
+ exit */
+ if (flags != AUDIT_FILTER_EXIT)
+ return -7;
+ /* fallthrough */
case AUDIT_SE_USER:
case AUDIT_SE_ROLE:
case AUDIT_SE_TYPE:
case AUDIT_SE_SEN:
case AUDIT_SE_CLR:
- case AUDIT_WATCH:
- /* Watch is invalid on anything but exit */
- if ((flags != AUDIT_FILTER_EXIT) &&
- (field == AUDIT_WATCH))
- return -7;
-
rule->values[rule->field_count] = strlen(v);
offset = rule->buflen;
rule->buflen += strlen(v);
diff --git a/lib/libaudit.h b/lib/libaudit.h
index 8aab24e..9aaafbf 100644
--- a/lib/libaudit.h
+++ b/lib/libaudit.h
@@ -209,6 +209,14 @@ #ifndef AUDIT_PPID
#define AUDIT_PPID 18
#endif
+#ifndef AUDIT_SE_OUSER
+#define AUDIT_SE_OUSER 19
+#define AUDIT_SE_OROLE 20
+#define AUDIT_SE_OTYPE 21
+#define AUDIT_SE_OL1 22
+#define AUDIT_SE_OL2 23
+#endif
+
/* This is from the file system auditing patch */
#ifndef AUDIT_WATCH
#define AUDIT_WATCH 105 /* This is a field in syscall rule */
diff --git a/src/auditctl.c b/src/auditctl.c
index 045a38d..adf5f98 100644
--- a/src/auditctl.c
+++ b/src/auditctl.c
@@ -954,9 +954,11 @@ static int audit_print_reply(struct audi
audit_operator_to_symbol(op),
audit_msg_type_to_name(rep->rule->values[i]));
}
- } else if (field >= AUDIT_SE_USER &&
- field <= AUDIT_SE_CLR &&
- rep->type == AUDIT_LIST_RULES) {
+ } else if (rep->type == AUDIT_LIST_RULES &&
+ ((field >= AUDIT_SE_USER &&
+ field <= AUDIT_SE_CLR) ||
+ (field >= AUDIT_SE_OUSER &&
+ field <= AUDIT_SE_OL2))) {
printf(" %s%s%.*s", name,
audit_operator_to_symbol(op),
rep->ruledata->values[i],
--
Darrel
More information about the redhat-lspp
mailing list