about summary refs log tree commit diff
diff options
context:
space:
mode:
-rw-r--r--ChangeLog7
-rw-r--r--config.h.in3
-rw-r--r--config.make.in1
-rw-r--r--configure.in8
-rw-r--r--nscd/Makefile6
-rw-r--r--nscd/selinux.c43
6 files changed, 67 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog
index 38071b4380..711ae2f641 100644
--- a/ChangeLog
+++ b/ChangeLog
@@ -1,5 +1,12 @@
 2005-06-14  Ulrich Drepper  <drepper@redhat.com>
 
+	* configure.in: Add test for availability of libaudit.
+	* config.h.in: Define HAVE_LIBAUDIT.
+	* config.make.in: Define have-libaudit.
+	* nscd/Makefile: If libaudit is available, link nscd with it.
+	* nscd/selinux.c: If HAVE_LIBAUDIT is defined, log using libaudit.
+	Patch by Steve Grubb <sgrubb@redhat.com>.
+
 	* debug/pread64_chk.c: Use __libc_pread64 instead of __pread64.
 	* sysdeps/posix/posix_fallocate64.c: Likewise.
 	* include/string.h: Use libc_hidden_proto for strnlen.
diff --git a/config.h.in b/config.h.in
index db3defc6b0..5406d41111 100644
--- a/config.h.in
+++ b/config.h.in
@@ -21,6 +21,9 @@
 /* Define if building with SELinux support.  Set by --with-selinux.  */
 #undef	HAVE_SELINUX
 
+/* Defined if building with SELinux support & audit libs are detected. */
+#undef	HAVE_LIBAUDIT
+
 /* Define if using XCOFF. Set by --with-xcoff.  */
 #undef	HAVE_XCOFF
 
diff --git a/config.make.in b/config.make.in
index 1bd025e97e..1ab4bfbfc4 100644
--- a/config.make.in
+++ b/config.make.in
@@ -59,6 +59,7 @@ enable-check-abi = @enable_check_abi@
 have-forced-unwind = @libc_cv_forced_unwind@
 have-fpie = @libc_cv_fpie@
 have-selinux = @have_selinux@
+have-libaudit = @have_libaudit@
 have-cc-with-libunwind = @libc_cv_cc_with_libunwind@
 fno-unit-at-a-time = @fno_unit_at_a_time@
 bind-now = @bindnow@
diff --git a/configure.in b/configure.in
index 503611a6b9..5f46b5e4ef 100644
--- a/configure.in
+++ b/configure.in
@@ -1938,6 +1938,14 @@ fi
 # Check if we're building with SELinux support.
 if test "x$have_selinux" = xyes; then
   AC_DEFINE(HAVE_SELINUX,1,[SELinux support])
+
+  # See if we have the libaudit library
+  AC_CHECK_LIB(audit, audit_log_avc,
+              have_libaudit=yes, have_libaudit=no)
+  if test "x$have_libaudit" = xyes; then
+    AC_DEFINE(HAVE_LIBAUDIT,1,[SELinux libaudit support])
+  fi
+  AC_SUBST(have_libaudit)
 fi
 AC_SUBST(have_selinux)
 
diff --git a/nscd/Makefile b/nscd/Makefile
index 7e0c4eb30a..2ebd90b989 100644
--- a/nscd/Makefile
+++ b/nscd/Makefile
@@ -53,8 +53,12 @@ endif
 
 all-nscd-modules := $(nscd-modules) selinux
 ifeq (yes,$(have-selinux))
+ifeq (yes,$(have-libaudit))
+libaudit = -laudit
+endif
+
 nscd-modules += selinux
-selinux-LIBS := -lselinux
+selinux-LIBS := -lselinux $(libaudit)
 endif
 
 LDLIBS-nscd = $(selinux-LIBS)
diff --git a/nscd/selinux.c b/nscd/selinux.c
index f57f0920ae..4dc4df3648 100644
--- a/nscd/selinux.c
+++ b/nscd/selinux.c
@@ -18,6 +18,7 @@
    Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA
    02111-1307 USA.  */
 
+#include "config.h"
 #include <error.h>
 #include <errno.h>
 #include <libintl.h>
@@ -30,6 +31,9 @@
 #include <selinux/avc.h>
 #include <selinux/flask.h>
 #include <selinux/selinux.h>
+#ifdef HAVE_LIBAUDIT
+#include <libaudit.h>
+#endif
 
 #include "dbg_log.h"
 #include "selinux.h"
@@ -66,6 +70,11 @@ static struct avc_entry_ref aeref;
 /* Thread to listen for SELinux status changes via netlink.  */
 static pthread_t avc_notify_thread;
 
+#ifdef HAVE_LIBAUDIT
+/* Prototype for supporting the audit daemon */
+static void log_callback (const char *fmt, ...);
+#endif
+
 /* Prototypes for AVC callback functions.  */
 static void *avc_create_thread (void (*run) (void));
 static void avc_stop_thread (void *thread);
@@ -77,7 +86,11 @@ static void avc_free_lock (void *lock);
 /* AVC callback structures for use in avc_init.  */
 static const struct avc_log_callback log_cb =
 {
+#ifdef HAVE_LIBAUDIT
+  .func_log = log_callback,
+#else
   .func_log = dbg_log,
+#endif
   .func_audit = NULL
 };
 static const struct avc_thread_callback thread_cb =
@@ -93,6 +106,30 @@ static const struct avc_lock_callback lock_cb =
   .func_free_lock = avc_free_lock
 };
 
+#ifdef HAVE_LIBAUDIT
+/* The audit system's netlink socket descriptor */
+static int audit_fd = -1;
+
+/* When an avc denial occurs, log it to audit system */
+static void 
+log_callback (const char *fmt, ...)
+{
+  va_list ap;
+
+  va_start (ap, fmt);
+  audit_log_avc (audit_fd, AUDIT_USER_AVC, fmt, ap);
+  va_end (ap);
+}
+
+/* Initialize the connection to the audit system */
+static void 
+audit_init (void)
+{
+  audit_fd = audit_open ();
+  if (audit_fd < 0)
+     dbg_log (_("Failed opening connection to the audit subsystem"));
+}
+#endif /* HAVE_LIBAUDIT */
 
 /* Determine if we are running on an SELinux kernel. Set selinux_enabled
    to the result.  */
@@ -182,6 +219,9 @@ nscd_avc_init (void)
     error (EXIT_FAILURE, errno, _("Failed to start AVC"));
   else
     dbg_log (_("Access Vector Cache (AVC) started"));
+#ifdef HAVE_LIBAUDIT
+  audit_init ();
+#endif
 }
 
 
@@ -262,6 +302,9 @@ void
 nscd_avc_destroy (void)
 {
   avc_destroy ();
+#ifdef HAVE_LIBAUDIT
+  audit_close (audit_fd);
+#endif
 }
 
 #endif /* HAVE_SELINUX */