diff options
author | KaiGai Kohei <kaigai@ak.jp.nec.com> | 2009-06-18 10:26:13 +0200 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-06-18 16:12:28 +0200 |
commit | 44c2d9bdd7022ca7d240d5adc009296fc1c6ce08 (patch) | |
tree | 33115ee8d7e167d2a26558c2af8e0edfdca099d5 /security/selinux/avc.c | |
parent | cleanup in ss/services.c (diff) | |
download | linux-44c2d9bdd7022ca7d240d5adc009296fc1c6ce08.tar.xz linux-44c2d9bdd7022ca7d240d5adc009296fc1c6ce08.zip |
Add audit messages on type boundary violations
The attached patch adds support to generate audit messages on two cases.
The first one is a case when a multi-thread process tries to switch its
performing security context using setcon(3), but new security context is
not bounded by the old one.
type=SELINUX_ERR msg=audit(1245311998.599:17): \
op=security_bounded_transition result=denied \
oldcontext=system_u:system_r:httpd_t:s0 \
newcontext=system_u:system_r:guest_webapp_t:s0
The other one is a case when security_compute_av() masked any permissions
due to the type boundary violation.
type=SELINUX_ERR msg=audit(1245312836.035:32): \
op=security_compute_av reason=bounds \
scontext=system_u:object_r:user_webapp_t:s0 \
tcontext=system_u:object_r:shadow_t:s0:c0 \
tclass=file perms=getattr,open
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/avc.c')
-rw-r--r-- | security/selinux/avc.c | 2 |
1 files changed, 1 insertions, 1 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c index 7f9b5fac8779..4bf5d08a1f5c 100644 --- a/security/selinux/avc.c +++ b/security/selinux/avc.c @@ -137,7 +137,7 @@ static inline int avc_hash(u32 ssid, u32 tsid, u16 tclass) * @tclass: target security class * @av: access vector */ -void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av) +static void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av) { const char **common_pts = NULL; u32 common_base = 0; |