* [PATCH] libselinux: avoid newline in avc message
@ 2022-08-08 17:34 Christian Göttsche
2022-08-10 15:33 ` James Carter
0 siblings, 1 reply; 3+ messages in thread
From: Christian Göttsche @ 2022-08-08 17:34 UTC (permalink / raw)
To: selinux
Do not add a final newline to the avc log message as it will be treated
as a part of the tclass field in final audit record:
{
"AUDIT_FIELD_EXE" : "/usr/bin/dbus-broker",
"_UID" : "104",
"_AUDIT_SESSION" : "4294967295",
"_TRANSPORT" : "audit",
"__REALTIME_TIMESTAMP" : "1659975331468531",
"_AUDIT_TYPE" : "1107",
"AUDIT_FIELD_SCONTEXT" : "system_u:system_r:systemd_t:s0",
"_AUDIT_LOGINUID" : "4294967295",
"_SELINUX_CONTEXT" : "system_u:system_r:system_dbusd_t:s0-s0:c0.c1023",
"AUDIT_FIELD_SAUID" : "104",
"MESSAGE" : "USER_AVC pid=1538 uid=104 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for scontext=system_u:system_r:systemd_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus\n exe=\"/usr/bin/dbus-broker\" sauid=104 hostname=? addr=? terminal=?'",
"AUDIT_FIELD_TCONTEXT" : "system_u:system_r:systemd_logind_t:s0",
"_SOURCE_REALTIME_TIMESTAMP" : "1659975331462000",
"__MONOTONIC_TIMESTAMP" : "207995768",
"AUDIT_FIELD_TCLASS" : "dbus\n",
"AUDIT_FIELD_TERMINAL" : "?",
"_PID" : "1538",
"SYSLOG_FACILITY" : "4",
"_BOOT_ID" : "3921464b65f64fb4a7c037dee97cd6ad",
"SYSLOG_IDENTIFIER" : "audit",
"_MACHINE_ID" : "5d78c28f10d54c0fb7b6fd1acc6af8ff",
"_AUDIT_TYPE_NAME" : "USER_AVC",
"__CURSOR" : "s=84589ce96ff8400189fc515ff892674a;i=c38e;b=3921464b65f64fb4a7c037dee97cd6ad;m=c65c378;t=5e5bd1ff7d4f3;x=c22e610fc9b00b10",
"AUDIT_FIELD_ADDR" : "?",
"AUDIT_FIELD_HOSTNAME" : "?",
"_AUDIT_ID" : "1075",
"_HOSTNAME" : "debianBullseye"
}
Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
libselinux/src/avc.c | 1 -
1 file changed, 1 deletion(-)
diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
index 7493e4b2..8d5983a2 100644
--- a/libselinux/src/avc.c
+++ b/libselinux/src/avc.c
@@ -725,7 +725,6 @@ void avc_audit(security_id_t ssid, security_id_t tsid,
if (denied)
log_append(avc_audit_buf, " permissive=%u", result ? 0 : 1);
- log_append(avc_audit_buf, "\n");
avc_log(SELINUX_AVC, "%s", avc_audit_buf);
avc_release_lock(avc_log_lock);
--
2.36.1
^ permalink raw reply related [flat|nested] 3+ messages in thread
* Re: [PATCH] libselinux: avoid newline in avc message
2022-08-08 17:34 [PATCH] libselinux: avoid newline in avc message Christian Göttsche
@ 2022-08-10 15:33 ` James Carter
2022-08-15 15:53 ` James Carter
0 siblings, 1 reply; 3+ messages in thread
From: James Carter @ 2022-08-10 15:33 UTC (permalink / raw)
To: Christian Göttsche; +Cc: selinux
On Mon, Aug 8, 2022 at 1:36 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Do not add a final newline to the avc log message as it will be treated
> as a part of the tclass field in final audit record:
>
> {
> "AUDIT_FIELD_EXE" : "/usr/bin/dbus-broker",
> "_UID" : "104",
> "_AUDIT_SESSION" : "4294967295",
> "_TRANSPORT" : "audit",
> "__REALTIME_TIMESTAMP" : "1659975331468531",
> "_AUDIT_TYPE" : "1107",
> "AUDIT_FIELD_SCONTEXT" : "system_u:system_r:systemd_t:s0",
> "_AUDIT_LOGINUID" : "4294967295",
> "_SELINUX_CONTEXT" : "system_u:system_r:system_dbusd_t:s0-s0:c0.c1023",
> "AUDIT_FIELD_SAUID" : "104",
> "MESSAGE" : "USER_AVC pid=1538 uid=104 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for scontext=system_u:system_r:systemd_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus\n exe=\"/usr/bin/dbus-broker\" sauid=104 hostname=? addr=? terminal=?'",
> "AUDIT_FIELD_TCONTEXT" : "system_u:system_r:systemd_logind_t:s0",
> "_SOURCE_REALTIME_TIMESTAMP" : "1659975331462000",
> "__MONOTONIC_TIMESTAMP" : "207995768",
> "AUDIT_FIELD_TCLASS" : "dbus\n",
> "AUDIT_FIELD_TERMINAL" : "?",
> "_PID" : "1538",
> "SYSLOG_FACILITY" : "4",
> "_BOOT_ID" : "3921464b65f64fb4a7c037dee97cd6ad",
> "SYSLOG_IDENTIFIER" : "audit",
> "_MACHINE_ID" : "5d78c28f10d54c0fb7b6fd1acc6af8ff",
> "_AUDIT_TYPE_NAME" : "USER_AVC",
> "__CURSOR" : "s=84589ce96ff8400189fc515ff892674a;i=c38e;b=3921464b65f64fb4a7c037dee97cd6ad;m=c65c378;t=5e5bd1ff7d4f3;x=c22e610fc9b00b10",
> "AUDIT_FIELD_ADDR" : "?",
> "AUDIT_FIELD_HOSTNAME" : "?",
> "_AUDIT_ID" : "1075",
> "_HOSTNAME" : "debianBullseye"
> }
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Acked-by: James Carter <jwcart2@gmail.com>
> ---
> libselinux/src/avc.c | 1 -
> 1 file changed, 1 deletion(-)
>
> diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
> index 7493e4b2..8d5983a2 100644
> --- a/libselinux/src/avc.c
> +++ b/libselinux/src/avc.c
> @@ -725,7 +725,6 @@ void avc_audit(security_id_t ssid, security_id_t tsid,
> if (denied)
> log_append(avc_audit_buf, " permissive=%u", result ? 0 : 1);
>
> - log_append(avc_audit_buf, "\n");
> avc_log(SELINUX_AVC, "%s", avc_audit_buf);
>
> avc_release_lock(avc_log_lock);
> --
> 2.36.1
>
^ permalink raw reply [flat|nested] 3+ messages in thread
* Re: [PATCH] libselinux: avoid newline in avc message
2022-08-10 15:33 ` James Carter
@ 2022-08-15 15:53 ` James Carter
0 siblings, 0 replies; 3+ messages in thread
From: James Carter @ 2022-08-15 15:53 UTC (permalink / raw)
To: Christian Göttsche; +Cc: selinux
On Wed, Aug 10, 2022 at 11:33 AM James Carter <jwcart2@gmail.com> wrote:
>
> On Mon, Aug 8, 2022 at 1:36 PM Christian Göttsche
> <cgzones@googlemail.com> wrote:
> >
> > Do not add a final newline to the avc log message as it will be treated
> > as a part of the tclass field in final audit record:
> >
> > {
> > "AUDIT_FIELD_EXE" : "/usr/bin/dbus-broker",
> > "_UID" : "104",
> > "_AUDIT_SESSION" : "4294967295",
> > "_TRANSPORT" : "audit",
> > "__REALTIME_TIMESTAMP" : "1659975331468531",
> > "_AUDIT_TYPE" : "1107",
> > "AUDIT_FIELD_SCONTEXT" : "system_u:system_r:systemd_t:s0",
> > "_AUDIT_LOGINUID" : "4294967295",
> > "_SELINUX_CONTEXT" : "system_u:system_r:system_dbusd_t:s0-s0:c0.c1023",
> > "AUDIT_FIELD_SAUID" : "104",
> > "MESSAGE" : "USER_AVC pid=1538 uid=104 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc: granted { send_msg } for scontext=system_u:system_r:systemd_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus\n exe=\"/usr/bin/dbus-broker\" sauid=104 hostname=? addr=? terminal=?'",
> > "AUDIT_FIELD_TCONTEXT" : "system_u:system_r:systemd_logind_t:s0",
> > "_SOURCE_REALTIME_TIMESTAMP" : "1659975331462000",
> > "__MONOTONIC_TIMESTAMP" : "207995768",
> > "AUDIT_FIELD_TCLASS" : "dbus\n",
> > "AUDIT_FIELD_TERMINAL" : "?",
> > "_PID" : "1538",
> > "SYSLOG_FACILITY" : "4",
> > "_BOOT_ID" : "3921464b65f64fb4a7c037dee97cd6ad",
> > "SYSLOG_IDENTIFIER" : "audit",
> > "_MACHINE_ID" : "5d78c28f10d54c0fb7b6fd1acc6af8ff",
> > "_AUDIT_TYPE_NAME" : "USER_AVC",
> > "__CURSOR" : "s=84589ce96ff8400189fc515ff892674a;i=c38e;b=3921464b65f64fb4a7c037dee97cd6ad;m=c65c378;t=5e5bd1ff7d4f3;x=c22e610fc9b00b10",
> > "AUDIT_FIELD_ADDR" : "?",
> > "AUDIT_FIELD_HOSTNAME" : "?",
> > "_AUDIT_ID" : "1075",
> > "_HOSTNAME" : "debianBullseye"
> > }
> >
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
>
> Acked-by: James Carter <jwcart2@gmail.com>
>
Merged.
Thanks,
Jim
> > ---
> > libselinux/src/avc.c | 1 -
> > 1 file changed, 1 deletion(-)
> >
> > diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
> > index 7493e4b2..8d5983a2 100644
> > --- a/libselinux/src/avc.c
> > +++ b/libselinux/src/avc.c
> > @@ -725,7 +725,6 @@ void avc_audit(security_id_t ssid, security_id_t tsid,
> > if (denied)
> > log_append(avc_audit_buf, " permissive=%u", result ? 0 : 1);
> >
> > - log_append(avc_audit_buf, "\n");
> > avc_log(SELINUX_AVC, "%s", avc_audit_buf);
> >
> > avc_release_lock(avc_log_lock);
> > --
> > 2.36.1
> >
^ permalink raw reply [flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-08-15 15:53 UTC | newest]
Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-08 17:34 [PATCH] libselinux: avoid newline in avc message Christian Göttsche
2022-08-10 15:33 ` James Carter
2022-08-15 15:53 ` James Carter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).