[PATCH XSERVER 2/2] selinux: log events with appropriate audit type

From: "Christian Göttsche" <cgzones@googlemail.com>
To: selinux@vger.kernel.org
Subject: [PATCH XSERVER 2/2] selinux: log events with appropriate audit type
Date: Thu, 25 Nov 2021 20:27:10 +0100	[thread overview]
Message-ID: <20211125192710.191445-2-cgzones@googlemail.com> (raw)
In-Reply-To: <20211125192710.191445-1-cgzones@googlemail.com>

Use the appropriate audit type for SELINUX_ERROR, SELINUX_POLICYLOAD and
SELINUX_SETENFORCE libselinux messages, e.g. avoid USER_SELINUX_ERR for
policy load events:
    audit[980]: USER_SELINUX_ERR pid=980 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:xorg_t:s0 msg='avc:  op=load_policy lsm=selinux seqno=8 res=1 exe="/usr/lib/xorg/Xorg" sauid=0 hostname=? addr=? terminal=?'

Do not generate an audit event for SELINUX_WARNING messages.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
See upstream merge request https://gitlab.freedesktop.org/xorg/xserver/-/merge_requests/801
---
 Xext/xselinux_hooks.c | 24 ++++++++++++++++++++----
 1 file changed, 20 insertions(+), 4 deletions(-)

diff --git a/Xext/xselinux_hooks.c b/Xext/xselinux_hooks.c
index b9d47103a..4305ba9b4 100644
--- a/Xext/xselinux_hooks.c
+++ b/Xext/xselinux_hooks.c
@@ -301,25 +301,41 @@ SELinuxLog(int type, const char *fmt, ...)
 {
     va_list ap;
     char buf[MAX_AUDIT_MESSAGE_LENGTH];
-    int rc, aut;
+    int aut;
 
     switch (type) {
+    case SELINUX_ERROR:
+        aut = AUDIT_USER_SELINUX_ERR;
+        break;
     case SELINUX_INFO:
         aut = AUDIT_USER_MAC_POLICY_LOAD;
         break;
     case SELINUX_AVC:
         aut = AUDIT_USER_AVC;
         break;
+#ifdef SELINUX_POLICYLOAD /* since libselinux 3.2 */
+    case SELINUX_POLICYLOAD:
+        aut = AUDIT_USER_MAC_POLICY_LOAD;
+        break;
+#endif
+#if defined(SELINUX_SETENFORCE) && defined(AUDIT_USER_MAC_STATUS) /* since libselinux 3.2 and audit 3.0 */
+    case SELINUX_SETENFORCE:
+        aut = AUDIT_USER_MAC_STATUS;
+        break;
+#endif
+    case SELINUX_WARNING:
     default:
-        aut = AUDIT_USER_SELINUX_ERR;
+        /* Do not generate an audit event, just log normally. */
+        aut = -1;
         break;
     }
 
     va_start(ap, fmt);
     vsnprintf(buf, MAX_AUDIT_MESSAGE_LENGTH, fmt, ap);
-    rc = audit_log_user_avc_message(audit_fd, aut, buf, NULL, NULL, NULL, 0);
-    (void) rc;
     va_end(ap);
+
+    if (aut != -1)
+        (void) audit_log_user_avc_message(audit_fd, aut, buf, NULL, NULL, NULL, 0);
     LogMessageVerb(X_WARNING, 0, "%s", buf);
     return 0;
 }
-- 
2.34.0

