diff options
author | KaiGai Kohei <kaigai@ak.jp.nec.com> | 2009-06-18 10:26:13 +0200 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-06-18 16:12:28 +0200 |
commit | 44c2d9bdd7022ca7d240d5adc009296fc1c6ce08 (patch) | |
tree | 33115ee8d7e167d2a26558c2af8e0edfdca099d5 /security/selinux/include | |
parent | cleanup in ss/services.c (diff) | |
download | linux-44c2d9bdd7022ca7d240d5adc009296fc1c6ce08.tar.xz linux-44c2d9bdd7022ca7d240d5adc009296fc1c6ce08.zip |
Add audit messages on type boundary violations
The attached patch adds support to generate audit messages on two cases.
The first one is a case when a multi-thread process tries to switch its
performing security context using setcon(3), but new security context is
not bounded by the old one.
type=SELINUX_ERR msg=audit(1245311998.599:17): \
op=security_bounded_transition result=denied \
oldcontext=system_u:system_r:httpd_t:s0 \
newcontext=system_u:system_r:guest_webapp_t:s0
The other one is a case when security_compute_av() masked any permissions
due to the type boundary violation.
type=SELINUX_ERR msg=audit(1245312836.035:32): \
op=security_compute_av reason=bounds \
scontext=system_u:object_r:user_webapp_t:s0 \
tcontext=system_u:object_r:shadow_t:s0:c0 \
tclass=file perms=getattr,open
Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/include')
-rw-r--r-- | security/selinux/include/avc.h | 3 |
1 files changed, 0 insertions, 3 deletions
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h index d12ff1a9c0aa..46a940d9af67 100644 --- a/security/selinux/include/avc.h +++ b/security/selinux/include/avc.h @@ -127,9 +127,6 @@ int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid, u32 events, u32 ssid, u32 tsid, u16 tclass, u32 perms); -/* Shows permission in human readable form */ -void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av); - /* Exported to selinuxfs */ int avc_get_hash_stats(char *page); extern unsigned int avc_cache_threshold; |