Merge branch 'selinux' into 'master'

SELinux: remap security classes on policyload and update audit log type See merge request xorg/xserver!801
2025-12-20 04:40:02 +01:00 · 2025-12-07 10:34:23 +00:00 · 2025-12-07 10:34:23 +00:00 · e5922fd4ec
commit e5922fd4ec
parent eccee47185 48176e7946
1 changed files with 26 additions and 9 deletions
--- a/Xext/xselinux_hooks.c
+++ b/Xext/xselinux_hooks.c
@ -302,29 +302,46 @@ SELinuxLog(int type, const char *fmt, ...)
 {
    va_list ap;
    char buf[MAX_AUDIT_MESSAGE_LENGTH];
-    int rc, aut;
+    int aut;

    switch (type) {
-    case SELINUX_INFO:
-        aut = AUDIT_USER_MAC_POLICY_LOAD;
+    case SELINUX_ERROR:
+        aut = AUDIT_USER_SELINUX_ERR;
        break;
    case SELINUX_AVC:
        aut = AUDIT_USER_AVC;
        break;
    default:
-        aut = AUDIT_USER_SELINUX_ERR;
+        /* Do not generate an audit event, just log normally. */
+        aut = -1;
        break;
    }

    va_start(ap, fmt);
    vsnprintf(buf, MAX_AUDIT_MESSAGE_LENGTH, fmt, ap);
-    rc = audit_log_user_avc_message(audit_fd, aut, buf, NULL, NULL, NULL, 0);
-    (void) rc;
    va_end(ap);
+
+    if (aut != -1)
+        (void) audit_log_user_avc_message(audit_fd, aut, buf, NULL, NULL, NULL, 0);
    LogMessageVerb(X_WARNING, 0, "%s", buf);
    return 0;
 }

+static int
+SELinuxPolicyLoad(int seqno)
+{
+    LogMessage(X_INFO, "SELinux: PolicyLoad (%d) detected, remapping security classes\n", seqno);
+
+    if (selinux_set_mapping(map) < 0) {
+        if (errno == EINVAL)
+            ErrorF("SELinux: Invalid object class mapping\n");
+        else
+            ErrorF("SELinux: Failed to set up security class mapping\n");
+    }
+
+    return 0;
+}
+
 /*
 * XACE Callbacks
 */
@ -866,9 +883,9 @@ SELinuxFlaskInit(void)
    }

    /* Set up SELinux stuff */
-    selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) SELinuxLog);
-    selinux_set_callback(SELINUX_CB_AUDIT,
-                         (union selinux_callback) SELinuxAudit);
+    selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) { .func_log = SELinuxLog });
+    selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback) { .func_audit = SELinuxAudit });
+    selinux_set_callback(SELINUX_CB_POLICYLOAD, (union selinux_callback) { .func_policyload = SELinuxPolicyLoad });

    if (selinux_set_mapping(map) < 0) {
        if (errno == EINVAL) {