Re: [PATCH V2] libselinux: Add permissive= entry to avc audit log

2017-04-28 Thread Stephen Smalley 
On Fri, 2017-04-28 at 14:05 +0100, Richard Haines wrote:
> Add audit log entry to specify whether the decision was made in
> permissive mode/permissive domain or enforcing mode.
> 
> Signed-off-by: Richard Haines 

Thanks, applied.

> ---
> V2 changes: Remove utilities and follow the kernel way of detecting
> whether permissive or not.
> 
>  libselinux/src/avc.c | 4 
>  1 file changed, 4 insertions(+)
> 
> diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
> index b1ec57f..96b2678 100644
> --- a/libselinux/src/avc.c
> +++ b/libselinux/src/avc.c
> @@ -723,6 +723,10 @@ void avc_audit(security_id_t ssid, security_id_t
> tsid,
>  
>   log_append(avc_audit_buf, " ");
>   avc_dump_query(ssid, tsid, tclass);
> +
> + if (denied)
> + log_append(avc_audit_buf, " permissive=%u", result ?
> 0 : 1);
> +
>   log_append(avc_audit_buf, "\n");
>   avc_log(SELINUX_AVC, "%s", avc_audit_buf);
>  

Re: [PATCH V2] libselinux: Add permissive= entry to avc audit log

2017-04-28 Thread Richard Haines 
On Fri, 2017-04-28 at 15:10 +0200, Dominick Grift wrote:
> On Fri, Apr 28, 2017 at 02:05:16PM +0100, Richard Haines wrote:
> > Add audit log entry to specify whether the decision was made in
> > permissive mode/permissive domain or enforcing mode.
> > 
> > Signed-off-by: Richard Haines 
> > ---
> > V2 changes: Remove utilities and follow the kernel way of detecting
> > whether permissive or not.
> > 
> >  libselinux/src/avc.c | 4 
> >  1 file changed, 4 insertions(+)
> > 
> > diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
> > index b1ec57f..96b2678 100644
> > --- a/libselinux/src/avc.c
> > +++ b/libselinux/src/avc.c
> > @@ -723,6 +723,10 @@ void avc_audit(security_id_t ssid,
> > security_id_t tsid,
> >  
> >     log_append(avc_audit_buf, " ");
> >     avc_dump_query(ssid, tsid, tclass);
> > +
> > +   if (denied)
> > +   log_append(avc_audit_buf, " permissive=%u", result
> > ? 0 : 1);
> > +
> >     log_append(avc_audit_buf, "\n");
> >     avc_log(SELINUX_AVC, "%s", avc_audit_buf);
> >  
> > -- 
> > 2.9.3
> > 
> 
> I hope you will still submit the utils as well. I think/hope that the
> selinux_check_access util can be used with shell scripts to create a
> simple user space object manager example

Yes I will at some stage - just thinking of how to reply to Stephen's
email on the subject and checking what ones I've already submitted to
libselinux/utils. I have a number of these little
utils/samples/examples that I use to test various bits of
libsepol/libselinux and submit those I use to test my patches.

Before I submit any I'll take your suggestion into acount. All ideas
welcome.
>

Re: [PATCH V2] libselinux: Add permissive= entry to avc audit log

2017-04-28 Thread Dominick Grift 
On Fri, Apr 28, 2017 at 02:05:16PM +0100, Richard Haines wrote:
> Add audit log entry to specify whether the decision was made in
> permissive mode/permissive domain or enforcing mode.
> 
> Signed-off-by: Richard Haines 
> ---
> V2 changes: Remove utilities and follow the kernel way of detecting
> whether permissive or not.
> 
>  libselinux/src/avc.c | 4 
>  1 file changed, 4 insertions(+)
> 
> diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
> index b1ec57f..96b2678 100644
> --- a/libselinux/src/avc.c
> +++ b/libselinux/src/avc.c
> @@ -723,6 +723,10 @@ void avc_audit(security_id_t ssid, security_id_t tsid,
>  
>   log_append(avc_audit_buf, " ");
>   avc_dump_query(ssid, tsid, tclass);
> +
> + if (denied)
> + log_append(avc_audit_buf, " permissive=%u", result ? 0 : 1);
> +
>   log_append(avc_audit_buf, "\n");
>   avc_log(SELINUX_AVC, "%s", avc_audit_buf);
>  
> -- 
> 2.9.3
> 

I hope you will still submit the utils as well. I think/hope that the 
selinux_check_access util can be used with shell scripts to create a simple 
user space object manager example

-- 
Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8  02D5 3B6C 5F1D 2C7B 6B02
https://sks-keyservers.net/pks/lookup?op=get=0x3B6C5F1D2C7B6B02
Dominick Grift


signature.asc
Description: PGP signature