Commit b6cac5a3 authored by Stephen Smalley's avatar Stephen Smalley Committed by James Morris
Browse files

selinux: Only audit permissions specified in policy 

Only audit the permissions specified by the policy rules.

Before:
type=AVC msg=audit(01/28/2010 14:30:46.690:3250) : avc:  denied  { read
append } for  pid=14092 comm=foo name=test_file dev=dm-1 ino=132932
scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file

After:
type=AVC msg=audit(01/28/2010 14:52:37.448:26) : avc:  denied
{ append } for  pid=1917 comm=foo name=test_file dev=dm-1 ino=132932
scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023
tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file

Reference:
https://bugzilla.redhat.com/show_bug.cgi?id=558499



Reported-by: default avatarTom London <selinux@gmail.com>
Signed-off-by: default avatarStephen D. Smalley <sds@tycho.nsa.gov>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 8e2d39a1

security/selinux/avc.c

+7 −10
Original line number Diff line number Diff line
@@ -489,17 +489,14 @@ void avc_audit(u32 ssid, u32 tsid, 
	struct common_audit_data stack_data;

	u32 denied, audited;

	denied = requested & ~avd->allowed;

	if (denied) {

		audited = denied;

		if (!(audited & avd->auditdeny))

			return;

	} else if (result) {

	if (denied)

		audited = denied & avd->auditdeny;

	else if (result)

		audited = denied = requested;

	} else {

		audited = requested;

		if (!(audited & avd->auditallow))

	else

		audited = requested & avd->auditallow;

	if (!audited)

		return;

	}

	if (!a) {

		a = &stack_data;

		memset(a, 0, sizeof(*a));

CRA Git | Maintained and supported by SUSTech CRA and CCSE