diff options
author | Stephen Smalley <sds@tycho.nsa.gov> | 2010-02-02 11:31:51 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2010-02-03 08:49:10 +1100 |
commit | b6cac5a30b325e14cda425670bb3568d3cad0aa8 (patch) | |
tree | 276a3a2a985c862ac9439cb2f8facabb7d1f1944 | |
parent | 8e2d39a1665e680c095545993aac2fcac6916eb9 (diff) | |
download | blackbird-op-linux-b6cac5a30b325e14cda425670bb3568d3cad0aa8.tar.gz blackbird-op-linux-b6cac5a30b325e14cda425670bb3568d3cad0aa8.zip |
selinux: Only audit permissions specified in policy
Only audit the permissions specified by the policy rules.
Before:
type=AVC msg=audit(01/28/2010 14:30:46.690:3250) : avc: denied { read
append } for pid=14092 comm=foo name=test_file dev=dm-1 ino=132932
scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file
After:
type=AVC msg=audit(01/28/2010 14:52:37.448:26) : avc: denied
{ append } for pid=1917 comm=foo name=test_file dev=dm-1 ino=132932
scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file
Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=558499
Reported-by: Tom London <selinux@gmail.com>
Signed-off-by: Stephen D. Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r-- | security/selinux/avc.c | 17 |
1 files changed, 7 insertions, 10 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 3ee9b6a8beb6..db0fd9f33499 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -489,17 +489,14 @@ void avc_audit(u32 ssid, u32 tsid, struct common_audit_data stack_data; u32 denied, audited; denied = requested & ~avd->allowed; - if (denied) { - audited = denied; - if (!(audited & avd->auditdeny)) - return; - } else if (result) { + if (denied) + audited = denied & avd->auditdeny; + else if (result) audited = denied = requested; - } else { - audited = requested; - if (!(audited & avd->auditallow)) - return; - } + else + audited = requested & avd->auditallow; + if (!audited) + return; if (!a) { a = &stack_data; memset(a, 0, sizeof(*a)); |