about summary refs log tree commit diff
path: root/nscd
diff options
context:
space:
mode:
authorJakub Jelinek <jakub@redhat.com>2005-06-20 15:59:03 +0000
committerJakub Jelinek <jakub@redhat.com>2005-06-20 15:59:03 +0000
commit27424b29289a49958e62450203f33a57dc1465e2 (patch)
tree7045409bd7d383127ecac0f78325a2a035b3f754 /nscd
parent841d8c3466e6472c9cd16ee5bff701ba0380998a (diff)
downloadglibc-27424b29289a49958e62450203f33a57dc1465e2.tar.gz
glibc-27424b29289a49958e62450203f33a57dc1465e2.tar.xz
glibc-27424b29289a49958e62450203f33a57dc1465e2.zip
Updated to fedora-glibc-20050620T1530
Diffstat (limited to 'nscd')
-rw-r--r--nscd/Makefile6
-rw-r--r--nscd/selinux.c43
2 files changed, 48 insertions, 1 deletions
diff --git a/nscd/Makefile b/nscd/Makefile
index 7e0c4eb30a..2ebd90b989 100644
--- a/nscd/Makefile
+++ b/nscd/Makefile
@@ -53,8 +53,12 @@ endif
 
 all-nscd-modules := $(nscd-modules) selinux
 ifeq (yes,$(have-selinux))
+ifeq (yes,$(have-libaudit))
+libaudit = -laudit
+endif
+
 nscd-modules += selinux
-selinux-LIBS := -lselinux
+selinux-LIBS := -lselinux $(libaudit)
 endif
 
 LDLIBS-nscd = $(selinux-LIBS)
diff --git a/nscd/selinux.c b/nscd/selinux.c
index f57f0920ae..4dc4df3648 100644
--- a/nscd/selinux.c
+++ b/nscd/selinux.c
@@ -18,6 +18,7 @@
    Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
    02111-1307 USA.  */
 
+#include "config.h"
 #include <error.h>
 #include <errno.h>
 #include <libintl.h>
@@ -30,6 +31,9 @@
 #include <selinux/avc.h>
 #include <selinux/flask.h>
 #include <selinux/selinux.h>
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
+#endif
 
 #include "dbg_log.h"
 #include "selinux.h"
@@ -66,6 +70,11 @@ static struct avc_entry_ref aeref;
 /* Thread to listen for SELinux status changes via netlink.  */
 static pthread_t avc_notify_thread;
 
+#ifdef HAVE_LIBAUDIT
+/* Prototype for supporting the audit daemon */
+static void log_callback (const char *fmt, ...);
+#endif
+
 /* Prototypes for AVC callback functions.  */
 static void *avc_create_thread (void (*run) (void));
 static void avc_stop_thread (void *thread);
@@ -77,7 +86,11 @@ static void avc_free_lock (void *lock);
 /* AVC callback structures for use in avc_init.  */
 static const struct avc_log_callback log_cb =
 {
+#ifdef HAVE_LIBAUDIT
+  .func_log = log_callback,
+#else
   .func_log = dbg_log,
+#endif
   .func_audit = NULL
 };
 static const struct avc_thread_callback thread_cb =
@@ -93,6 +106,30 @@ static const struct avc_lock_callback lock_cb =
   .func_free_lock = avc_free_lock
 };
 
+#ifdef HAVE_LIBAUDIT
+/* The audit system's netlink socket descriptor */
+static int audit_fd = -1;
+
+/* When an avc denial occurs, log it to audit system */
+static void 
+log_callback (const char *fmt, ...)
+{
+  va_list ap;
+
+  va_start (ap, fmt);
+  audit_log_avc (audit_fd, AUDIT_USER_AVC, fmt, ap);
+  va_end (ap);
+}
+
+/* Initialize the connection to the audit system */
+static void 
+audit_init (void)
+{
+  audit_fd = audit_open ();
+  if (audit_fd < 0)
+     dbg_log (_("Failed opening connection to the audit subsystem"));
+}
+#endif /* HAVE_LIBAUDIT */
 
 /* Determine if we are running on an SELinux kernel. Set selinux_enabled
    to the result.  */
@@ -182,6 +219,9 @@ nscd_avc_init (void)
     error (EXIT_FAILURE, errno, _("Failed to start AVC"));
   else
     dbg_log (_("Access Vector Cache (AVC) started"));
+#ifdef HAVE_LIBAUDIT
+  audit_init ();
+#endif
 }
 
 
@@ -262,6 +302,9 @@ void
 nscd_avc_destroy (void)
 {
   avc_destroy ();
+#ifdef HAVE_LIBAUDIT
+  audit_close (audit_fd);
+#endif
 }
 
 #endif /* HAVE_SELINUX */