diff options
| author | Roland McGrath <roland@gnu.org> | 2005-07-18 01:38:55 +0000 |
|---|---|---|
| committer | Roland McGrath <roland@gnu.org> | 2005-07-18 01:38:55 +0000 |
| commit | 207f69dccfe19608bd1a0239c2358643b121f362 (patch) | |
| tree | ffe0bb742f2312da639fdd322db22ac2eadb8ca1 | |
| parent | ede76d1922f7c78eac7c61ca98338f9f87fe05ca (diff) | |
| download | glibc-207f69dccfe19608bd1a0239c2358643b121f362.tar.gz glibc-207f69dccfe19608bd1a0239c2358643b121f362.tar.xz glibc-207f69dccfe19608bd1a0239c2358643b121f362.zip | |
2005-06-14 Ulrich Drepper <drepper@redhat.com>
[BZ #1085] * configure.in: Add test for availability of libaudit. * config.h.in: Define HAVE_LIBAUDIT. * config.make.in: Define have-libaudit. * nscd/Makefile: If libaudit is available, link nscd with it. * nscd/selinux.c: If HAVE_LIBAUDIT is defined, log using libaudit. Patch by Steve Grubb <sgrubb@redhat.com>.
| -rw-r--r-- | config.h.in | 3 | ||||
| -rw-r--r-- | config.make.in | 1 | ||||
| -rw-r--r-- | configure.in | 8 | ||||
| -rw-r--r-- | nscd/Makefile | 6 | ||||
| -rw-r--r-- | nscd/selinux.c | 43 |
5 files changed, 60 insertions, 1 deletions
diff --git a/config.h.in b/config.h.in index db3defc6b0..5406d41111 100644 --- a/config.h.in +++ b/config.h.in @@ -21,6 +21,9 @@ /* Define if building with SELinux support. Set by --with-selinux. */ #undef HAVE_SELINUX +/* Defined if building with SELinux support & audit libs are detected. */ +#undef HAVE_LIBAUDIT + /* Define if using XCOFF. Set by --with-xcoff. */ #undef HAVE_XCOFF diff --git a/config.make.in b/config.make.in index 81cb95b77f..222fb33bd3 100644 --- a/config.make.in +++ b/config.make.in @@ -59,6 +59,7 @@ enable-check-abi = @enable_check_abi@ have-forced-unwind = @libc_cv_forced_unwind@ have-fpie = @libc_cv_fpie@ have-selinux = @have_selinux@ +have-libaudit = @have_libaudit@ have-cc-with-libunwind = @libc_cv_cc_with_libunwind@ fno-unit-at-a-time = @fno_unit_at_a_time@ bind-now = @bindnow@ diff --git a/configure.in b/configure.in index 559bee0173..ab4975e481 100644 --- a/configure.in +++ b/configure.in @@ -1965,6 +1965,14 @@ fi # Check if we're building with SELinux support. if test "x$have_selinux" = xyes; then AC_DEFINE(HAVE_SELINUX,1,[SELinux support]) + + # See if we have the libaudit library + AC_CHECK_LIB(audit, audit_log_avc, + have_libaudit=yes, have_libaudit=no) + if test "x$have_libaudit" = xyes; then + AC_DEFINE(HAVE_LIBAUDIT,1,[SELinux libaudit support]) + fi + AC_SUBST(have_libaudit) fi AC_SUBST(have_selinux) diff --git a/nscd/Makefile b/nscd/Makefile index 75a9d434f4..dcdd8b4894 100644 --- a/nscd/Makefile +++ b/nscd/Makefile @@ -53,8 +53,12 @@ endif all-nscd-modules := $(nscd-modules) selinux ifeq (yes,$(have-selinux)) +ifeq (yes,$(have-libaudit)) +libaudit = -laudit +endif + nscd-modules += selinux -selinux-LIBS := -lselinux +selinux-LIBS := -lselinux $(libaudit) endif LDLIBS-nscd = $(selinux-LIBS) diff --git a/nscd/selinux.c b/nscd/selinux.c index f57f0920ae..4dc4df3648 100644 --- a/nscd/selinux.c +++ b/nscd/selinux.c @@ -18,6 +18,7 @@ Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. */ +#include "config.h" #include <error.h> #include <errno.h> #include <libintl.h> @@ -30,6 +31,9 @@ #include <selinux/avc.h> #include <selinux/flask.h> #include <selinux/selinux.h> +#ifdef HAVE_LIBAUDIT +#include <libaudit.h> +#endif #include "dbg_log.h" #include "selinux.h" @@ -66,6 +70,11 @@ static struct avc_entry_ref aeref; /* Thread to listen for SELinux status changes via netlink. */ static pthread_t avc_notify_thread; +#ifdef HAVE_LIBAUDIT +/* Prototype for supporting the audit daemon */ +static void log_callback (const char *fmt, ...); +#endif + /* Prototypes for AVC callback functions. */ static void *avc_create_thread (void (*run) (void)); static void avc_stop_thread (void *thread); @@ -77,7 +86,11 @@ static void avc_free_lock (void *lock); /* AVC callback structures for use in avc_init. */ static const struct avc_log_callback log_cb = { +#ifdef HAVE_LIBAUDIT + .func_log = log_callback, +#else .func_log = dbg_log, +#endif .func_audit = NULL }; static const struct avc_thread_callback thread_cb = @@ -93,6 +106,30 @@ static const struct avc_lock_callback lock_cb = .func_free_lock = avc_free_lock }; +#ifdef HAVE_LIBAUDIT +/* The audit system's netlink socket descriptor */ +static int audit_fd = -1; + +/* When an avc denial occurs, log it to audit system */ +static void +log_callback (const char *fmt, ...) +{ + va_list ap; + + va_start (ap, fmt); + audit_log_avc (audit_fd, AUDIT_USER_AVC, fmt, ap); + va_end (ap); +} + +/* Initialize the connection to the audit system */ +static void +audit_init (void) +{ + audit_fd = audit_open (); + if (audit_fd < 0) + dbg_log (_("Failed opening connection to the audit subsystem")); +} +#endif /* HAVE_LIBAUDIT */ /* Determine if we are running on an SELinux kernel. Set selinux_enabled to the result. */ @@ -182,6 +219,9 @@ nscd_avc_init (void) error (EXIT_FAILURE, errno, _("Failed to start AVC")); else dbg_log (_("Access Vector Cache (AVC) started")); +#ifdef HAVE_LIBAUDIT + audit_init (); +#endif } @@ -262,6 +302,9 @@ void nscd_avc_destroy (void) { avc_destroy (); +#ifdef HAVE_LIBAUDIT + audit_close (audit_fd); +#endif } #endif /* HAVE_SELINUX */ |