diff options
| author | Havoc Pennington <hp@redhat.com> | 2007-06-13 16:30:43 +0000 |
|---|---|---|
| committer | Havoc Pennington <hp@redhat.com> | 2007-06-13 16:30:43 +0000 |
| commit | e3d30a03225dd1d26012ecd39b09e4ccf91befb5 (patch) | |
| tree | d912bb502f5ea4d253c4b3c6c1c5f3e4ba159297 /bus | |
| parent | 15a610bc4c87d389463112ef0ad4fde195af83ca (diff) | |
2007-06-13 Havoc Pennington <hp@redhat.com>
* configure.ac, bus/selinux.c, dbus/dbus-sysdeps-unix-util.c: add
libaudit support, no clue what this means really but now we have
it. Patches from Fedora package.
* bus/bus.c (bus_context_new): move selinux initialization after
changing to daemon user, patch from Fedora package
* dbus/dbus-transport.c (auth_via_unix_user_function): fix a typo
Diffstat (limited to 'bus')
| -rw-r--r-- | bus/bus.c | 10 | ||||
| -rw-r--r-- | bus/selinux.c | 54 |
2 files changed, 57 insertions, 7 deletions
@@ -739,11 +739,6 @@ bus_context_new (const DBusString *config_file, _dbus_string_free (&pid); } - if (!bus_selinux_full_init ()) - { - _dbus_warn ("SELinux initialization failed\n"); - } - if (!process_config_postinit (context, parser, error)) { _DBUS_ASSERT_ERROR_IS_SET (error); @@ -767,6 +762,11 @@ bus_context_new (const DBusString *config_file, goto failed; } } + + if (!bus_selinux_full_init ()) + { + _dbus_warn ("SELinux initialization failed\n"); + } dbus_server_free_data_slot (&server_data_slot); diff --git a/bus/selinux.c b/bus/selinux.c index e5f26da2..c2138380 100644 --- a/bus/selinux.c +++ b/bus/selinux.c @@ -38,6 +38,9 @@ #include <selinux/flask.h> #include <signal.h> #include <stdarg.h> +#ifdef HAVE_LIBAUDIT +#include <libaudit.h> +#endif /* HAVE_LIBAUDIT */ #endif /* HAVE_SELINUX */ #define BUS_SID_FROM_SELINUX(sid) ((BusSELinuxID*) (sid)) @@ -100,11 +103,50 @@ static const struct avc_lock_callback lock_cb = * @param variable argument list */ #ifdef HAVE_SELINUX + +#ifdef HAVE_LIBAUDIT +static int audit_fd = -1; +#endif + +static void +audit_init(void) +{ +#ifdef HAVE_LIBAUDIT + audit_fd = audit_open (); + + if (audit_fd < 0) + { + /* If kernel doesn't support audit, bail out */ + if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT) + return; + /* If user bus, bail out */ + if (errno == EPERM && getuid() != 0) + return; + _dbus_warn ("Failed opening connection to the audit subsystem"); + } +#endif /* HAVE_LIBAUDIT */ +} + static void log_callback (const char *fmt, ...) { va_list ap; + va_start(ap, fmt); + +#ifdef HAVE_LIBAUDIT + if (audit_fd >= 0) + { + char buf[PATH_MAX*2]; + + /* FIXME: need to change this to show real user */ + vsnprintf(buf, sizeof(buf), fmt, ap); + audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL, + NULL, getuid()); + return; + } +#endif /* HAVE_LIBAUDIT */ + vsyslog (LOG_INFO, fmt, ap); va_end(ap); } @@ -303,6 +345,8 @@ bus_selinux_full_init (void) freecon (bus_context); + audit_init (); + return TRUE; #else return TRUE; @@ -925,12 +969,18 @@ bus_selinux_shutdown (void) { sidput (bus_sid); bus_sid = SECSID_WILD; - + #ifdef DBUS_ENABLE_VERBOSE_MODE - bus_avc_print_stats (); + + if (_dbus_is_verbose()) + bus_avc_print_stats (); + #endif /* DBUS_ENABLE_VERBOSE_MODE */ avc_destroy (); +#ifdef HAVE_LIBAUDIT + audit_close (audit_fd); +#endif /* HAVE_LIBAUDIT */ } #endif /* HAVE_SELINUX */ } |