source-git / systemd

Clone
Source Code
GIT

d8e848 selinux: don't log SELINUX_INFO and SELINUX_WARNING messages to audit

1 file Authored by Michal Sekletar 4 years ago, Committed by Packit Service 4 years ago,
raw patch tree parent
1 file changed. 5 lines added. 1 lines removed.
src/core/selinux-access.c
file modified
+5 -1 
    selinux: don't log SELINUX_INFO and SELINUX_WARNING messages to audit
    
    Previously we logged even info message from libselinux as USER_AVC's to
    audit. For example, setting SELinux to permissive mode generated
    following audit message,
    
    time->Tue Feb 26 11:29:29 2019
    type=USER_AVC msg=audit(1551198569.423:334): pid=1 uid=0 auid=4294967295 ses=4294967295 subj=system_u:system_r:init_t:s0 msg='avc:  received setenforce notice (enforcing=0)  exe="/usr/lib/systemd/systemd" sauid=0 hostname=? addr=? terminal=?'
    
    This is unnecessary and wrong at the same time. First, kernel already
    records audit event that SELinux was switched to permissive mode, also
    the type of the message really shouldn't be USER_AVC.
    
    Let's ignore SELINUX_WARNING and SELINUX_INFO and forward to audit only
    USER_AVC's and errors as these two libselinux message types have clear
    mapping to audit message types.
    
    (cherry picked from commit 6227fc14c48c4c17daed4b91f61cdd4aa375790a)
    
    Resolves: #1763612
    
    patch_name: 0241-selinux-don-t-log-SELINUX_INFO-and-SELINUX_WARNING-m.patch
    present_in_specfile: true
    location_in_specfile: 241
    squash_commits: true
file modified
+5 -1

Powered by Pagure 5.14.1

SSH Hostkey/Fingerprint | Documentation