This is an automated email from the git hooks/post-receive script. guillem pushed a commit to branch main in repository dpkg.
View the commit online: https://git.dpkg.org/cgit/dpkg/dpkg.git/commit/?id=2f1a97952b5f51e5e114416c0771e732aa20c25d The following commit(s) were added to refs/heads/main by this push: new 2f1a97952 dpkg, dpkg-statoverride: Install SELinux log callback to filter messages 2f1a97952 is described below commit 2f1a97952b5f51e5e114416c0771e732aa20c25d (HEAD -> main) Author: Christian Göttsche <[email protected]> AuthorDate: Tue Oct 11 22:57:01 2022 +0200 dpkg, dpkg-statoverride: Install SELinux log callback to filter messages Since libselinux 3.2, via commit 05bdc03130d7 ("libselinux: use kernel status page by default") [1], selinux_status_updated(3) will issue log messages on enforcing changes and policy loads. dpkg is only interested in whether the policy changed to then reload the SELinux label database. Ignore non-relevant log messages and forward messages of type error, warning and avc (which should be treated as error if not audited according to selinux_set_callback(3)). Example (the missing newline is a libselinux bug [2]): Unpacking valgrind-dbg (1:3.19.0-1) ... uavc: op=setenforce lsm=selinux enforcing=0 res=1Preparing to unpack .../vnstati_2.9-1_amd64.deb ... See also <https://github.com/rpm-software-management/rpm/pull/2201>. [1]: https://github.com/SELinuxProject/selinux/commit/05bdc03130d741e53e1fb45a958d0a2c184be503 [2]: https://lore.kernel.org/selinux/[email protected]/ [[email protected]: - Fix coding style. - Change warning prefix to "selinux:". ] Signed-off-by: Guillem Jover <[email protected]> --- src/common/selinux.c | 33 ++++++++++++++++++++++++++++++--- 1 file changed, 30 insertions(+), 3 deletions(-) diff --git a/src/common/selinux.c b/src/common/selinux.c index 07f87a3dd..b5d29d829 100644 --- a/src/common/selinux.c +++ b/src/common/selinux.c @@ -44,6 +44,33 @@ static struct selabel_handle *sehandle; #endif +#ifdef WITH_LIBSELINUX +static int DPKG_ATTR_PRINTF(2) +log_callback(int type, const char *fmt, ...) +{ + va_list ap; + char *msg; + + switch (type) { + case SELINUX_ERROR: + case SELINUX_WARNING: + case SELINUX_AVC: + break; + default: + return 0; + } + + va_start(ap, fmt); + m_vasprintf(&msg, fmt, ap); + va_end(ap); + + warning("selinux: %s", msg); + free(msg); + + return 0; +} +#endif + void dpkg_selabel_load(void) { @@ -65,9 +92,9 @@ dpkg_selabel_load(void) if (rc < 0) ohshit(_("cannot open security status notification channel")); - /* XXX: We could use selinux_set_callback() to redirect the - * errors from the other SELinux calls, but that does not seem - * worth it right now. */ + selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) { + .func_log = log_callback, + }); } else if (selinux_enabled && selinux_status_updated()) { /* The SELinux policy got updated in the kernel, usually after * upgrading the package shipping it, we need to reload. */ -- Dpkg.Org's dpkg
