summaryrefslogtreecommitdiffstats
path: root/security
diff options
context:
space:
mode:
authorStephen Smalley <sds@tycho.nsa.gov>2010-02-02 11:31:51 -0500
committerJames Morris <jmorris@namei.org>2010-02-03 08:49:10 +1100
commitb6cac5a30b325e14cda425670bb3568d3cad0aa8 (patch)
tree276a3a2a985c862ac9439cb2f8facabb7d1f1944 /security
parent8e2d39a1665e680c095545993aac2fcac6916eb9 (diff)
downloadlinux-stable-b6cac5a30b325e14cda425670bb3568d3cad0aa8.tar.gz
linux-stable-b6cac5a30b325e14cda425670bb3568d3cad0aa8.tar.bz2
linux-stable-b6cac5a30b325e14cda425670bb3568d3cad0aa8.zip
selinux: Only audit permissions specified in policy
Only audit the permissions specified by the policy rules. Before: type=AVC msg=audit(01/28/2010 14:30:46.690:3250) : avc: denied { read append } for pid=14092 comm=foo name=test_file dev=dm-1 ino=132932 scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file After: type=AVC msg=audit(01/28/2010 14:52:37.448:26) : avc: denied { append } for pid=1917 comm=foo name=test_file dev=dm-1 ino=132932 scontext=unconfined_u:unconfined_r:load_policy_t:s0-s0:c0.c1023 tcontext=unconfined_u:object_r:rpm_tmp_t:s0 tclass=file Reference: https://bugzilla.redhat.com/show_bug.cgi?id=558499 Reported-by: Tom London <selinux@gmail.com> Signed-off-by: Stephen D. Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security')
-rw-r--r--security/selinux/avc.c17
1 files changed, 7 insertions, 10 deletions
diff --git a/security/selinux/avc.c b/security/selinux/avc.c
index 3ee9b6a8beb6..db0fd9f33499 100644
--- a/security/selinux/avc.c
+++ b/security/selinux/avc.c
@@ -489,17 +489,14 @@ void avc_audit(u32 ssid, u32 tsid,
struct common_audit_data stack_data;
u32 denied, audited;
denied = requested & ~avd->allowed;
- if (denied) {
- audited = denied;
- if (!(audited & avd->auditdeny))
- return;
- } else if (result) {
+ if (denied)
+ audited = denied & avd->auditdeny;
+ else if (result)
audited = denied = requested;
- } else {
- audited = requested;
- if (!(audited & avd->auditallow))
- return;
- }
+ else
+ audited = requested & avd->auditallow;
+ if (!audited)
+ return;
if (!a) {
a = &stack_data;
memset(a, 0, sizeof(*a));