selinux.vger.kernel.org archive mirror
 help / color / mirror / Atom feed
* [PATCH] libselinux: avoid newline in avc message
@ 2022-08-08 17:34 Christian Göttsche
  2022-08-10 15:33 ` James Carter
  0 siblings, 1 reply; 3+ messages in thread
From: Christian Göttsche @ 2022-08-08 17:34 UTC (permalink / raw)
  To: selinux

Do not add a final newline to the avc log message as it will be treated
as a part of the tclass field in final audit record:

    {
        "AUDIT_FIELD_EXE" : "/usr/bin/dbus-broker",
        "_UID" : "104",
        "_AUDIT_SESSION" : "4294967295",
        "_TRANSPORT" : "audit",
        "__REALTIME_TIMESTAMP" : "1659975331468531",
        "_AUDIT_TYPE" : "1107",
        "AUDIT_FIELD_SCONTEXT" : "system_u:system_r:systemd_t:s0",
        "_AUDIT_LOGINUID" : "4294967295",
        "_SELINUX_CONTEXT" : "system_u:system_r:system_dbusd_t:s0-s0:c0.c1023",
        "AUDIT_FIELD_SAUID" : "104",
        "MESSAGE" : "USER_AVC pid=1538 uid=104 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  granted  { send_msg } for  scontext=system_u:system_r:systemd_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus\n exe=\"/usr/bin/dbus-broker\" sauid=104 hostname=? addr=? terminal=?'",
        "AUDIT_FIELD_TCONTEXT" : "system_u:system_r:systemd_logind_t:s0",
        "_SOURCE_REALTIME_TIMESTAMP" : "1659975331462000",
        "__MONOTONIC_TIMESTAMP" : "207995768",
        "AUDIT_FIELD_TCLASS" : "dbus\n",
        "AUDIT_FIELD_TERMINAL" : "?",
        "_PID" : "1538",
        "SYSLOG_FACILITY" : "4",
        "_BOOT_ID" : "3921464b65f64fb4a7c037dee97cd6ad",
        "SYSLOG_IDENTIFIER" : "audit",
        "_MACHINE_ID" : "5d78c28f10d54c0fb7b6fd1acc6af8ff",
        "_AUDIT_TYPE_NAME" : "USER_AVC",
        "__CURSOR" : "s=84589ce96ff8400189fc515ff892674a;i=c38e;b=3921464b65f64fb4a7c037dee97cd6ad;m=c65c378;t=5e5bd1ff7d4f3;x=c22e610fc9b00b10",
        "AUDIT_FIELD_ADDR" : "?",
        "AUDIT_FIELD_HOSTNAME" : "?",
        "_AUDIT_ID" : "1075",
        "_HOSTNAME" : "debianBullseye"
    }

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
---
 libselinux/src/avc.c | 1 -
 1 file changed, 1 deletion(-)

diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
index 7493e4b2..8d5983a2 100644
--- a/libselinux/src/avc.c
+++ b/libselinux/src/avc.c
@@ -725,7 +725,6 @@ void avc_audit(security_id_t ssid, security_id_t tsid,
 	if (denied)
 		log_append(avc_audit_buf, " permissive=%u", result ? 0 : 1);
 
-	log_append(avc_audit_buf, "\n");
 	avc_log(SELINUX_AVC, "%s", avc_audit_buf);
 
 	avc_release_lock(avc_log_lock);
-- 
2.36.1


^ permalink raw reply related	[flat|nested] 3+ messages in thread
* Re: [PATCH] libselinux: avoid newline in avc message
  2022-08-08 17:34 [PATCH] libselinux: avoid newline in avc message Christian Göttsche
@ 2022-08-10 15:33 ` James Carter
  2022-08-15 15:53   ` James Carter
  0 siblings, 1 reply; 3+ messages in thread
From: James Carter @ 2022-08-10 15:33 UTC (permalink / raw)
  To: Christian Göttsche; +Cc: selinux

On Mon, Aug 8, 2022 at 1:36 PM Christian Göttsche
<cgzones@googlemail.com> wrote:
>
> Do not add a final newline to the avc log message as it will be treated
> as a part of the tclass field in final audit record:
>
>     {
>         "AUDIT_FIELD_EXE" : "/usr/bin/dbus-broker",
>         "_UID" : "104",
>         "_AUDIT_SESSION" : "4294967295",
>         "_TRANSPORT" : "audit",
>         "__REALTIME_TIMESTAMP" : "1659975331468531",
>         "_AUDIT_TYPE" : "1107",
>         "AUDIT_FIELD_SCONTEXT" : "system_u:system_r:systemd_t:s0",
>         "_AUDIT_LOGINUID" : "4294967295",
>         "_SELINUX_CONTEXT" : "system_u:system_r:system_dbusd_t:s0-s0:c0.c1023",
>         "AUDIT_FIELD_SAUID" : "104",
>         "MESSAGE" : "USER_AVC pid=1538 uid=104 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  granted  { send_msg } for  scontext=system_u:system_r:systemd_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus\n exe=\"/usr/bin/dbus-broker\" sauid=104 hostname=? addr=? terminal=?'",
>         "AUDIT_FIELD_TCONTEXT" : "system_u:system_r:systemd_logind_t:s0",
>         "_SOURCE_REALTIME_TIMESTAMP" : "1659975331462000",
>         "__MONOTONIC_TIMESTAMP" : "207995768",
>         "AUDIT_FIELD_TCLASS" : "dbus\n",
>         "AUDIT_FIELD_TERMINAL" : "?",
>         "_PID" : "1538",
>         "SYSLOG_FACILITY" : "4",
>         "_BOOT_ID" : "3921464b65f64fb4a7c037dee97cd6ad",
>         "SYSLOG_IDENTIFIER" : "audit",
>         "_MACHINE_ID" : "5d78c28f10d54c0fb7b6fd1acc6af8ff",
>         "_AUDIT_TYPE_NAME" : "USER_AVC",
>         "__CURSOR" : "s=84589ce96ff8400189fc515ff892674a;i=c38e;b=3921464b65f64fb4a7c037dee97cd6ad;m=c65c378;t=5e5bd1ff7d4f3;x=c22e610fc9b00b10",
>         "AUDIT_FIELD_ADDR" : "?",
>         "AUDIT_FIELD_HOSTNAME" : "?",
>         "_AUDIT_ID" : "1075",
>         "_HOSTNAME" : "debianBullseye"
>     }
>
> Signed-off-by: Christian Göttsche <cgzones@googlemail.com>

Acked-by: James Carter <jwcart2@gmail.com>

> ---
>  libselinux/src/avc.c | 1 -
>  1 file changed, 1 deletion(-)
>
> diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
> index 7493e4b2..8d5983a2 100644
> --- a/libselinux/src/avc.c
> +++ b/libselinux/src/avc.c
> @@ -725,7 +725,6 @@ void avc_audit(security_id_t ssid, security_id_t tsid,
>         if (denied)
>                 log_append(avc_audit_buf, " permissive=%u", result ? 0 : 1);
>
> -       log_append(avc_audit_buf, "\n");
>         avc_log(SELINUX_AVC, "%s", avc_audit_buf);
>
>         avc_release_lock(avc_log_lock);
> --
> 2.36.1
>

^ permalink raw reply	[flat|nested] 3+ messages in thread
* Re: [PATCH] libselinux: avoid newline in avc message
  2022-08-10 15:33 ` James Carter
@ 2022-08-15 15:53   ` James Carter
  0 siblings, 0 replies; 3+ messages in thread
From: James Carter @ 2022-08-15 15:53 UTC (permalink / raw)
  To: Christian Göttsche; +Cc: selinux

On Wed, Aug 10, 2022 at 11:33 AM James Carter <jwcart2@gmail.com> wrote:
>
> On Mon, Aug 8, 2022 at 1:36 PM Christian Göttsche
> <cgzones@googlemail.com> wrote:
> >
> > Do not add a final newline to the avc log message as it will be treated
> > as a part of the tclass field in final audit record:
> >
> >     {
> >         "AUDIT_FIELD_EXE" : "/usr/bin/dbus-broker",
> >         "_UID" : "104",
> >         "_AUDIT_SESSION" : "4294967295",
> >         "_TRANSPORT" : "audit",
> >         "__REALTIME_TIMESTAMP" : "1659975331468531",
> >         "_AUDIT_TYPE" : "1107",
> >         "AUDIT_FIELD_SCONTEXT" : "system_u:system_r:systemd_t:s0",
> >         "_AUDIT_LOGINUID" : "4294967295",
> >         "_SELINUX_CONTEXT" : "system_u:system_r:system_dbusd_t:s0-s0:c0.c1023",
> >         "AUDIT_FIELD_SAUID" : "104",
> >         "MESSAGE" : "USER_AVC pid=1538 uid=104 auid=4294967295 ses=4294967295 subj=system_u:system_r:system_dbusd_t:s0-s0:c0.c1023 msg='avc:  granted  { send_msg } for  scontext=system_u:system_r:systemd_t:s0 tcontext=system_u:system_r:systemd_logind_t:s0 tclass=dbus\n exe=\"/usr/bin/dbus-broker\" sauid=104 hostname=? addr=? terminal=?'",
> >         "AUDIT_FIELD_TCONTEXT" : "system_u:system_r:systemd_logind_t:s0",
> >         "_SOURCE_REALTIME_TIMESTAMP" : "1659975331462000",
> >         "__MONOTONIC_TIMESTAMP" : "207995768",
> >         "AUDIT_FIELD_TCLASS" : "dbus\n",
> >         "AUDIT_FIELD_TERMINAL" : "?",
> >         "_PID" : "1538",
> >         "SYSLOG_FACILITY" : "4",
> >         "_BOOT_ID" : "3921464b65f64fb4a7c037dee97cd6ad",
> >         "SYSLOG_IDENTIFIER" : "audit",
> >         "_MACHINE_ID" : "5d78c28f10d54c0fb7b6fd1acc6af8ff",
> >         "_AUDIT_TYPE_NAME" : "USER_AVC",
> >         "__CURSOR" : "s=84589ce96ff8400189fc515ff892674a;i=c38e;b=3921464b65f64fb4a7c037dee97cd6ad;m=c65c378;t=5e5bd1ff7d4f3;x=c22e610fc9b00b10",
> >         "AUDIT_FIELD_ADDR" : "?",
> >         "AUDIT_FIELD_HOSTNAME" : "?",
> >         "_AUDIT_ID" : "1075",
> >         "_HOSTNAME" : "debianBullseye"
> >     }
> >
> > Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
>
> Acked-by: James Carter <jwcart2@gmail.com>
>
Merged.
Thanks,
Jim

> > ---
> >  libselinux/src/avc.c | 1 -
> >  1 file changed, 1 deletion(-)
> >
> > diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
> > index 7493e4b2..8d5983a2 100644
> > --- a/libselinux/src/avc.c
> > +++ b/libselinux/src/avc.c
> > @@ -725,7 +725,6 @@ void avc_audit(security_id_t ssid, security_id_t tsid,
> >         if (denied)
> >                 log_append(avc_audit_buf, " permissive=%u", result ? 0 : 1);
> >
> > -       log_append(avc_audit_buf, "\n");
> >         avc_log(SELINUX_AVC, "%s", avc_audit_buf);
> >
> >         avc_release_lock(avc_log_lock);
> > --
> > 2.36.1
> >

^ permalink raw reply	[flat|nested] 3+ messages in thread
end of thread, other threads:[~2022-08-15 15:53 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2022-08-08 17:34 [PATCH] libselinux: avoid newline in avc message Christian Göttsche
2022-08-10 15:33 ` James Carter
2022-08-15 15:53   ` James Carter

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).