RFE: show change of enforcing state in log ?

Stephen Smalley sds at epoch.ncsc.mil
Wed Jul 7 15:59:48 UTC 2004


On Tue, 2004-06-29 at 18:35, Tom London wrote:
> How difficult would it be to add 'old state->new state' to the log on a 
> change in
> the enforcing state? Currently, 'setenforce' appears to be logged as a 
> toggle....

The kernel just audits the permission check, i.e. that setenforce
permission was checked due to a change to the enforcing status.  One
could add an additional auxiliary audit data type to avc_audit_data and
change the caller to supply the old and new states, but that would
require a patch to the SELinux kernel module, and I'm not sure it is
worthwhile.  You can already have userspace receive notifications of
enforcing status changes, including the new value via netlink socket
messages; the userspace AVC in libselinux does this to detect changes in
permissive/enforcing status.

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency




More information about the selinux mailing list