diff options
-rw-r--r-- | ChangeLog | 7 | ||||
-rw-r--r-- | config.h.in | 3 | ||||
-rw-r--r-- | config.make.in | 1 | ||||
-rw-r--r-- | configure.in | 8 | ||||
-rw-r--r-- | nscd/Makefile | 6 | ||||
-rw-r--r-- | nscd/selinux.c | 43 |
6 files changed, 67 insertions, 1 deletions
diff --git a/ChangeLog b/ChangeLog index 38071b4380..711ae2f641 100644 --- a/ChangeLog +++ b/ChangeLog @@ -1,5 +1,12 @@ 2005-06-14 Ulrich Drepper <drepper@redhat.com> + * configure.in: Add test for availability of libaudit. + * config.h.in: Define HAVE_LIBAUDIT. + * config.make.in: Define have-libaudit. + * nscd/Makefile: If libaudit is available, link nscd with it. + * nscd/selinux.c: If HAVE_LIBAUDIT is defined, log using libaudit. + Patch by Steve Grubb <sgrubb@redhat.com>. + * debug/pread64_chk.c: Use __libc_pread64 instead of __pread64. * sysdeps/posix/posix_fallocate64.c: Likewise. * include/string.h: Use libc_hidden_proto for strnlen. diff --git a/config.h.in b/config.h.in index db3defc6b0..5406d41111 100644 --- a/config.h.in +++ b/config.h.in @@ -21,6 +21,9 @@ /* Define if building with SELinux support. Set by --with-selinux. */ #undef HAVE_SELINUX +/* Defined if building with SELinux support & audit libs are detected. */ +#undef HAVE_LIBAUDIT + /* Define if using XCOFF. Set by --with-xcoff. */ #undef HAVE_XCOFF diff --git a/config.make.in b/config.make.in index 1bd025e97e..1ab4bfbfc4 100644 --- a/config.make.in +++ b/config.make.in @@ -59,6 +59,7 @@ enable-check-abi = @enable_check_abi@ have-forced-unwind = @libc_cv_forced_unwind@ have-fpie = @libc_cv_fpie@ have-selinux = @have_selinux@ +have-libaudit = @have_libaudit@ have-cc-with-libunwind = @libc_cv_cc_with_libunwind@ fno-unit-at-a-time = @fno_unit_at_a_time@ bind-now = @bindnow@ diff --git a/configure.in b/configure.in index 503611a6b9..5f46b5e4ef 100644 --- a/configure.in +++ b/configure.in @@ -1938,6 +1938,14 @@ fi # Check if we're building with SELinux support. if test "x$have_selinux" = xyes; then AC_DEFINE(HAVE_SELINUX,1,[SELinux support]) + + # See if we have the libaudit library + AC_CHECK_LIB(audit, audit_log_avc, + have_libaudit=yes, have_libaudit=no) + if test "x$have_libaudit" = xyes; then + AC_DEFINE(HAVE_LIBAUDIT,1,[SELinux libaudit support]) + fi + AC_SUBST(have_libaudit) fi AC_SUBST(have_selinux) diff --git a/nscd/Makefile b/nscd/Makefile index 7e0c4eb30a..2ebd90b989 100644 --- a/nscd/Makefile +++ b/nscd/Makefile @@ -53,8 +53,12 @@ endif all-nscd-modules := $(nscd-modules) selinux ifeq (yes,$(have-selinux)) +ifeq (yes,$(have-libaudit)) +libaudit = -laudit +endif + nscd-modules += selinux -selinux-LIBS := -lselinux +selinux-LIBS := -lselinux $(libaudit) endif LDLIBS-nscd = $(selinux-LIBS) diff --git a/nscd/selinux.c b/nscd/selinux.c index f57f0920ae..4dc4df3648 100644 --- a/nscd/selinux.c +++ b/nscd/selinux.c @@ -18,6 +18,7 @@ Software Foundation, Inc., 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA. */ +#include "config.h" #include <error.h> #include <errno.h> #include <libintl.h> @@ -30,6 +31,9 @@ #include <selinux/avc.h> #include <selinux/flask.h> #include <selinux/selinux.h> +#ifdef HAVE_LIBAUDIT +#include <libaudit.h> +#endif #include "dbg_log.h" #include "selinux.h" @@ -66,6 +70,11 @@ static struct avc_entry_ref aeref; /* Thread to listen for SELinux status changes via netlink. */ static pthread_t avc_notify_thread; +#ifdef HAVE_LIBAUDIT +/* Prototype for supporting the audit daemon */ +static void log_callback (const char *fmt, ...); +#endif + /* Prototypes for AVC callback functions. */ static void *avc_create_thread (void (*run) (void)); static void avc_stop_thread (void *thread); @@ -77,7 +86,11 @@ static void avc_free_lock (void *lock); /* AVC callback structures for use in avc_init. */ static const struct avc_log_callback log_cb = { +#ifdef HAVE_LIBAUDIT + .func_log = log_callback, +#else .func_log = dbg_log, +#endif .func_audit = NULL }; static const struct avc_thread_callback thread_cb = @@ -93,6 +106,30 @@ static const struct avc_lock_callback lock_cb = .func_free_lock = avc_free_lock }; +#ifdef HAVE_LIBAUDIT +/* The audit system's netlink socket descriptor */ +static int audit_fd = -1; + +/* When an avc denial occurs, log it to audit system */ +static void +log_callback (const char *fmt, ...) +{ + va_list ap; + + va_start (ap, fmt); + audit_log_avc (audit_fd, AUDIT_USER_AVC, fmt, ap); + va_end (ap); +} + +/* Initialize the connection to the audit system */ +static void +audit_init (void) +{ + audit_fd = audit_open (); + if (audit_fd < 0) + dbg_log (_("Failed opening connection to the audit subsystem")); +} +#endif /* HAVE_LIBAUDIT */ /* Determine if we are running on an SELinux kernel. Set selinux_enabled to the result. */ @@ -182,6 +219,9 @@ nscd_avc_init (void) error (EXIT_FAILURE, errno, _("Failed to start AVC")); else dbg_log (_("Access Vector Cache (AVC) started")); +#ifdef HAVE_LIBAUDIT + audit_init (); +#endif } @@ -262,6 +302,9 @@ void nscd_avc_destroy (void) { avc_destroy (); +#ifdef HAVE_LIBAUDIT + audit_close (audit_fd); +#endif } #endif /* HAVE_SELINUX */ |