From e3d30a03225dd1d26012ecd39b09e4ccf91befb5 Mon Sep 17 00:00:00 2001
From: Havoc Pennington <hp@redhat.com>
Date: Wed, 13 Jun 2007 16:30:43 +0000
Subject: 2007-06-13  Havoc Pennington  <hp@redhat.com>

	* configure.ac, bus/selinux.c, dbus/dbus-sysdeps-unix-util.c: add
	libaudit support, no clue what this means really but now we have
	it. Patches from Fedora package.

	* bus/bus.c (bus_context_new): move selinux initialization after
	changing to daemon user, patch from Fedora package

	* dbus/dbus-transport.c (auth_via_unix_user_function): fix a typo
---
 bus/bus.c     | 10 +++++-----
 bus/selinux.c | 54 ++++++++++++++++++++++++++++++++++++++++++++++++++++--
 2 files changed, 57 insertions(+), 7 deletions(-)

(limited to 'bus')

diff --git a/bus/bus.c b/bus/bus.c
index 073f0a5b..a6abc455 100644
--- a/bus/bus.c
+++ b/bus/bus.c
@@ -739,11 +739,6 @@ bus_context_new (const DBusString *config_file,
       _dbus_string_free (&pid);
     }
 
-  if (!bus_selinux_full_init ())
-    {
-      _dbus_warn ("SELinux initialization failed\n");
-    }
-
   if (!process_config_postinit (context, parser, error))
     {
       _DBUS_ASSERT_ERROR_IS_SET (error);
@@ -767,6 +762,11 @@ bus_context_new (const DBusString *config_file,
 	  goto failed;
 	}
     }
+
+  if (!bus_selinux_full_init ())
+    {
+      _dbus_warn ("SELinux initialization failed\n");
+    }
   
   dbus_server_free_data_slot (&server_data_slot);
   
diff --git a/bus/selinux.c b/bus/selinux.c
index e5f26da2..c2138380 100644
--- a/bus/selinux.c
+++ b/bus/selinux.c
@@ -38,6 +38,9 @@
 #include <selinux/flask.h>
 #include <signal.h>
 #include <stdarg.h>
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
+#endif /* HAVE_LIBAUDIT */
 #endif /* HAVE_SELINUX */
 
 #define BUS_SID_FROM_SELINUX(sid)  ((BusSELinuxID*) (sid))
@@ -100,11 +103,50 @@ static const struct avc_lock_callback lock_cb =
  * @param variable argument list
  */
 #ifdef HAVE_SELINUX
+
+#ifdef HAVE_LIBAUDIT
+static int audit_fd = -1;
+#endif
+
+static void
+audit_init(void)
+{
+#ifdef HAVE_LIBAUDIT  
+  audit_fd = audit_open ();
+
+  if (audit_fd < 0)
+    {
+      /* If kernel doesn't support audit, bail out */
+      if (errno == EINVAL || errno == EPROTONOSUPPORT || errno == EAFNOSUPPORT)
+        return;
+      /* If user bus, bail out */
+      if (errno == EPERM && getuid() != 0)
+        return;
+      _dbus_warn ("Failed opening connection to the audit subsystem");
+    }
+#endif /* HAVE_LIBAUDIT */
+}
+
 static void 
 log_callback (const char *fmt, ...) 
 {
   va_list ap;
+
   va_start(ap, fmt);
+
+#ifdef HAVE_LIBAUDIT
+  if (audit_fd >= 0)
+  {
+    char buf[PATH_MAX*2];
+    
+    /* FIXME: need to change this to show real user */
+    vsnprintf(buf, sizeof(buf), fmt, ap);
+    audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
+                               NULL, getuid());
+    return;
+  }
+#endif /* HAVE_LIBAUDIT */
+  
   vsyslog (LOG_INFO, fmt, ap);
   va_end(ap);
 }
@@ -303,6 +345,8 @@ bus_selinux_full_init (void)
 
   freecon (bus_context);
   
+  audit_init ();
+
   return TRUE;
 #else
   return TRUE;
@@ -925,12 +969,18 @@ bus_selinux_shutdown (void)
     {
       sidput (bus_sid);
       bus_sid = SECSID_WILD;
-      
+
 #ifdef DBUS_ENABLE_VERBOSE_MODE
-      bus_avc_print_stats ();
+ 
+      if (_dbus_is_verbose()) 
+        bus_avc_print_stats ();
+ 
 #endif /* DBUS_ENABLE_VERBOSE_MODE */
 
       avc_destroy ();
+#ifdef HAVE_LIBAUDIT
+      audit_close (audit_fd);
+#endif /* HAVE_LIBAUDIT */
     }
 #endif /* HAVE_SELINUX */
 }
-- 
cgit