This is the userspace patch that will allow use of the SELinux object filters from this RFC:
https://www.redhat.com/archives/redhat-lspp/2006-June/msg00194.html The comments about trimming and renaming things from the above mail also apply to this patch. lib/fieldtab.h | 5 +++++ lib/libaudit.c | 22 ++++++++++++++++------ lib/libaudit.h | 8 ++++++++ src/auditctl.c | 8 +++++--- 4 files changed, 34 insertions(+), 9 deletions(-) diff --git a/lib/fieldtab.h b/lib/fieldtab.h index a6f3121..a747752 100644 --- a/lib/fieldtab.h +++ b/lib/fieldtab.h @@ -40,6 +40,11 @@ _S(AUDIT_SE_TYPE, "se_type" ) _S(AUDIT_SE_SEN, "se_sen" ) _S(AUDIT_SE_CLR, "se_clr" ) _S(AUDIT_PPID, "ppid" ) +_S(AUDIT_SE_OUSER, "se_ouser" ) +_S(AUDIT_SE_OROLE, "se_orole" ) +_S(AUDIT_SE_OTYPE, "se_otype" ) +_S(AUDIT_SE_OL1, "se_ol1" ) +_S(AUDIT_SE_OL2, "se_ol2" ) _S(AUDIT_DEVMAJOR, "devmajor" ) _S(AUDIT_DEVMINOR, "devminor" ) diff --git a/lib/libaudit.c b/lib/libaudit.c index b61df6c..fa3bd55 100644 --- a/lib/libaudit.c +++ b/lib/libaudit.c @@ -826,6 +826,11 @@ int audit_rule_fieldpair(struct audit_ru case AUDIT_SE_TYPE: case AUDIT_SE_SEN: case AUDIT_SE_CLR: + case AUDIT_SE_OUSER: + case AUDIT_SE_OROLE: + case AUDIT_SE_OTYPE: + case AUDIT_SE_OL1: + case AUDIT_SE_OL2: case AUDIT_WATCH: return -10; case AUDIT_DEVMAJOR...AUDIT_SUCCESS: @@ -946,17 +951,22 @@ int audit_rule_fieldpair_data(struct aud else return -8; break; + case AUDIT_SE_OUSER: + case AUDIT_SE_OROLE: + case AUDIT_SE_OTYPE: + case AUDIT_SE_OL1: + case AUDIT_SE_OL2: + case AUDIT_WATCH: + /* Watches and object context filters are only valid on + exit */ + if (flags != AUDIT_FILTER_EXIT) + return -7; + /* fallthrough */ case AUDIT_SE_USER: case AUDIT_SE_ROLE: case AUDIT_SE_TYPE: case AUDIT_SE_SEN: case AUDIT_SE_CLR: - case AUDIT_WATCH: - /* Watch is invalid on anything but exit */ - if ((flags != AUDIT_FILTER_EXIT) && - (field == AUDIT_WATCH)) - return -7; - rule->values[rule->field_count] = strlen(v); offset = rule->buflen; rule->buflen += strlen(v); diff --git a/lib/libaudit.h b/lib/libaudit.h index 8aab24e..9aaafbf 100644 --- a/lib/libaudit.h +++ b/lib/libaudit.h @@ -209,6 +209,14 @@ #ifndef AUDIT_PPID #define AUDIT_PPID 18 #endif +#ifndef AUDIT_SE_OUSER +#define AUDIT_SE_OUSER 19 +#define AUDIT_SE_OROLE 20 +#define AUDIT_SE_OTYPE 21 +#define AUDIT_SE_OL1 22 +#define AUDIT_SE_OL2 23 +#endif + /* This is from the file system auditing patch */ #ifndef AUDIT_WATCH #define AUDIT_WATCH 105 /* This is a field in syscall rule */ diff --git a/src/auditctl.c b/src/auditctl.c index 045a38d..adf5f98 100644 --- a/src/auditctl.c +++ b/src/auditctl.c @@ -954,9 +954,11 @@ static int audit_print_reply(struct audi audit_operator_to_symbol(op), audit_msg_type_to_name(rep->rule->values[i])); } - } else if (field >= AUDIT_SE_USER && - field <= AUDIT_SE_CLR && - rep->type == AUDIT_LIST_RULES) { + } else if (rep->type == AUDIT_LIST_RULES && + ((field >= AUDIT_SE_USER && + field <= AUDIT_SE_CLR) || + (field >= AUDIT_SE_OUSER && + field <= AUDIT_SE_OL2))) { printf(" %s%s%.*s", name, audit_operator_to_symbol(op), rep->ruledata->values[i], -- Darrel -- redhat-lspp mailing list [email protected] https://www.redhat.com/mailman/listinfo/redhat-lspp
