summaryrefslogtreecommitdiffstats
path: root/security/selinux/include
diff options
context:
space:
mode:
authorKaiGai Kohei <kaigai@ak.jp.nec.com>2009-06-18 10:26:13 +0200
committerJames Morris <jmorris@namei.org>2009-06-18 16:12:28 +0200
commit44c2d9bdd7022ca7d240d5adc009296fc1c6ce08 (patch)
tree33115ee8d7e167d2a26558c2af8e0edfdca099d5 /security/selinux/include
parentcleanup in ss/services.c (diff)
downloadlinux-44c2d9bdd7022ca7d240d5adc009296fc1c6ce08.tar.xz
linux-44c2d9bdd7022ca7d240d5adc009296fc1c6ce08.zip
Add audit messages on type boundary violations
The attached patch adds support to generate audit messages on two cases. The first one is a case when a multi-thread process tries to switch its performing security context using setcon(3), but new security context is not bounded by the old one. type=SELINUX_ERR msg=audit(1245311998.599:17): \ op=security_bounded_transition result=denied \ oldcontext=system_u:system_r:httpd_t:s0 \ newcontext=system_u:system_r:guest_webapp_t:s0 The other one is a case when security_compute_av() masked any permissions due to the type boundary violation. type=SELINUX_ERR msg=audit(1245312836.035:32): \ op=security_compute_av reason=bounds \ scontext=system_u:object_r:user_webapp_t:s0 \ tcontext=system_u:object_r:shadow_t:s0:c0 \ tclass=file perms=getattr,open Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/include')
-rw-r--r--security/selinux/include/avc.h3
1 files changed, 0 insertions, 3 deletions
diff --git a/security/selinux/include/avc.h b/security/selinux/include/avc.h
index d12ff1a9c0aa..46a940d9af67 100644
--- a/security/selinux/include/avc.h
+++ b/security/selinux/include/avc.h
@@ -127,9 +127,6 @@ int avc_add_callback(int (*callback)(u32 event, u32 ssid, u32 tsid,
u32 events, u32 ssid, u32 tsid,
u16 tclass, u32 perms);
-/* Shows permission in human readable form */
-void avc_dump_av(struct audit_buffer *ab, u16 tclass, u32 av);
-
/* Exported to selinuxfs */
int avc_get_hash_stats(char *page);
extern unsigned int avc_cache_threshold;