We have the information, so lets allow userspace audit messages to be filtered based on the SELinux context. In particular this can be useful to shut up the login events generated every time a cron job runs.
Signed-off-by: Eric Paris <[email protected]> --- kernel/auditfilter.c | 9 +++++++++ 1 files changed, 9 insertions(+), 0 deletions(-) diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c index 30ccdb9..6e251df 100644 --- a/kernel/auditfilter.c +++ b/kernel/auditfilter.c @@ -1252,6 +1252,15 @@ static int audit_filter_user_rules(struct netlink_skb_parms *cb, case AUDIT_LOGINUID: result = audit_comparator(cb->loginuid, f->op, f->val); break; + case AUDIT_SUBJ_USER: + case AUDIT_SUBJ_ROLE: + case AUDIT_SUBJ_TYPE: + case AUDIT_SUBJ_SEN: + case AUDIT_SUBJ_CLR: + result = security_audit_rule_match(cb->sid, f->type, + f->op, f->lsm_rule, + NULL); + break; } if (!result) -- Linux-audit mailing list [email protected] https://www.redhat.com/mailman/listinfo/linux-audit
