RFE: show change of enforcing state in log ?

Stephen Smalley sds at epoch.ncsc.mil
Wed Jul 7 19:01:10 UTC 2004


On Wed, 2004-07-07 at 14:55, Tom London wrote:
> Interesting....
> 
> I was actually trying address a (slightly) different issue: how to
> recreate, after the fact, as much of the state as possible
> from the log.  Can certainly add to the user space code
> to detect this change, and then emit a message to the log.
> 
> Prior to your suggestion, I looked at the code for selinuxfs.c.
> I think a one line change could also do the trick:
> (I modeled this after the log prints on a policy load)
> 
> ***************
> *** 135,140 ****
> --- 135,143 ----
>                 length = task_has_security(current, SECURITY__SETENFORCE);
>                 if (length)
>                         goto out;
> +               printk(KERN_INFO "setenforce:  %s->%s\n",
> +                      (selinux_enforcing ? "enforcing" : "permissive"),
> +                      (new_value ? "enforcing" : "permissive"));
>                 selinux_enforcing = new_value;
>                 if (selinux_enforcing)
>                         avc_ss_reset(0);

Yes, that works as well, although I'd advise using
audit_log(current->audit_context, "setenforce:  %s->%s", ...) rather
than printk, so that you use the audit framework rather than the normal
kernel logging framework.  That allows for the messages to be routed to
a separate audit daemon and processed differently.

-- 
Stephen Smalley <sds at epoch.ncsc.mil>
National Security Agency




More information about the selinux mailing list