git.baikalelectronics.ru Git - kernel.git/commit

author	Richard Guy Briggs <rgb@redhat.com>
	Mon, 9 Apr 2018 23:34:22 +0000 (19:34 -0400)
committer	Paul Moore <paul@paul-moore.com>
	Tue, 17 Apr 2018 21:40:40 +0000 (17:40 -0400)
commit	b91d0de0219a951ff957fea467c98f87272d3cc0
tree	edaae5ca81af1b9936e95059ff80e8fe86aacf39	tree \| snapshot
parent	02d2dc49efd3032566cf1a3a80e0348241c6bf78	commit \| diff

audit: normalize MAC_STATUS record

There were two formats of the audit MAC_STATUS record, one of which was more
standard than the other.  One listed enforcing status changes and the
other listed enabled status changes with a non-standard label.  In
addition, the record was missing information about which LSM was
responsible and the operation's completion status.  While this record is
only issued on success, the parser expects the res= field to be present.

old enforcing/permissive:
type=MAC_STATUS msg=audit(1523312831.378:24514): enforcing=0 old_enforcing=1 auid=0 ses=1
old enable/disable:
type=MAC_STATUS msg=audit(1523312831.378:24514): selinux=0 auid=0 ses=1

List both sets of status and old values and add the lsm= field and the
res= field.

Here is the new format:
type=MAC_STATUS msg=audit(1523293828.657:891): enforcing=0 old_enforcing=1 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1

This record already accompanied a SYSCALL record.

See: https://github.com/linux-audit/audit-kernel/issues/46

Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
[PM: 80-char fixes, merge fuzz, use new SELinux state functions]
Signed-off-by: Paul Moore <paul@paul-moore.com>