On Wed, 2004-07-07 at 14:55, Tom London wrote:
Interesting....
I was actually trying address a (slightly) different issue: how to
recreate, after the fact, as much of the state as possible
from the log. Can certainly add to the user space code
to detect this change, and then emit a message to the log.
Prior to your suggestion, I looked at the code for selinuxfs.c.
I think a one line change could also do the trick:
(I modeled this after the log prints on a policy load)
***************
*** 135,140 ****
--- 135,143 ----
length = task_has_security(current, SECURITY__SETENFORCE);
if (length)
goto out;
+ printk(KERN_INFO "setenforce: %s->%s\n",
+ (selinux_enforcing ? "enforcing" :
"permissive"),
+ (new_value ? "enforcing" : "permissive"));
selinux_enforcing = new_value;
if (selinux_enforcing)
avc_ss_reset(0);
Yes, that works as well, although I'd advise using
audit_log(current->audit_context, "setenforce: %s->%s", ...) rather
than printk, so that you use the audit framework rather than the normal
kernel logging framework. That allows for the messages to be routed to
a separate audit daemon and processed differently.
--
Stephen Smalley <sds(a)epoch.ncsc.mil>
National Security Agency