The attached patch implements the full relabel audit event (Ie. an audit event occurs when a full relabel occurs, ie. when /.autorelabel exists at boot). Note that although the code is correct, this patch doesn't actually work due to kernel bugs[1].
It'll be in Fedora development as part of policycoreutils-1.30.10-3 onwards. [1] see the thread on linux-audit if you want the details. -- James Antill <[EMAIL PROTECTED]>
diff -ru policycoreutils-1.30.10-orig/setfiles/setfiles.c policycoreutils-1.30.10/setfiles/setfiles.c
--- policycoreutils-1.30.10-orig/setfiles/setfiles.c 2006-05-23 06:20:03.000000000 -0400
+++ policycoreutils-1.30.10/setfiles/setfiles.c 2006-05-24 16:49:03.000000000 -0400
@@ -75,6 +75,11 @@
#include <selinux/selinux.h>
#include <syslog.h>
#include <libgen.h>
+#include <libaudit.h>
+
+#ifndef AUDIT_FS_RELABEL
+#define AUDIT_FS_RELABEL 2309
+#endif
static int add_assoc = 1;
static FILE *outfile=NULL;
@@ -395,7 +400,7 @@
/* trim trailing /, if present */
len = strlen(rootpath);
- while ('/' == rootpath[len - 1])
+ while (len && ('/' == rootpath[len - 1]))
rootpath[--len] = 0;
rootpathlen = len;
}
@@ -443,11 +448,35 @@
return 0;
}
+static void maybe_audit_mass_relabel(int done_root, int errs)
+{
+ int audit_fd = -1;
+ int rc = 0;
+
+ if (!done_root) /* only audit a forced full relabel */
+ return;
+
+ audit_fd = audit_open();
+
+ if (audit_fd < 0) {
+ fprintf(stderr, "Error connecting to audit system.\n");
+ return;
+ }
+
+ rc = audit_log_user_message(audit_fd, AUDIT_FS_RELABEL,
+ "op=mass relabel", NULL, NULL, NULL, !errs);
+ if (rc <= 0) {
+ fprintf(stderr, "Error sending audit message: %s.\n", strerror(errno));
+ }
+ audit_close(audit_fd);
+}
+
int main(int argc, char **argv)
{
struct stat sb;
int opt, rc, i;
-
+ int done_root = 0; /* have we processed the / directory as an arg */
+
memset(excludeArray,0, sizeof(excludeArray));
/* Validate all file contexts during matchpathcon_init. */
@@ -618,6 +647,8 @@
}
else for (; optind < argc; optind++)
{
+ done_root |= !strcmp(argv[optind], "/");
+
if (NULL != rootpath) {
qprintf("%s: labeling files, pretending %s is /\n",
argv[0], rootpath);
@@ -648,6 +679,7 @@
fprintf(stderr,
"%s: error while labeling files under %s\n",
argv[0], argv[optind]);
+ maybe_audit_mass_relabel(done_root, 1);
exit(1);
}
}
@@ -664,6 +696,8 @@
matchpathcon_filespec_destroy();
}
+ maybe_audit_mass_relabel(done_root, 0);
+
if (warn_no_match)
matchpathcon_checkmatches(argv[0]);
--- policycoreutils-1.30.10-orig/setfiles/Makefile 2006-05-23 06:20:03.000000000 -0400
+++ policycoreutils-1.30.10/setfiles/Makefile 2006-05-24 18:10:41.000000000 -0400
@@ -7,6 +7,7 @@
CFLAGS = -Werror -Wall -W
override CFLAGS += -D_FILE_OFFSET_BITS=64 -I$(PREFIX)/include
LDLIBS = -lselinux -lsepol -L$(LIBDIR)
+LDLIBS += -laudit
all: setfiles
signature.asc
Description: This is a digitally signed message part
-- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
