diff --git a/Xext/xselinux_hooks.c b/Xext/xselinux_hooks.c index 4007958a9..45ae0c3b6 100644 --- a/Xext/xselinux_hooks.c +++ b/Xext/xselinux_hooks.c @@ -302,29 +302,46 @@ SELinuxLog(int type, const char *fmt, ...) { va_list ap; char buf[MAX_AUDIT_MESSAGE_LENGTH]; - int rc, aut; + int aut; switch (type) { - case SELINUX_INFO: - aut = AUDIT_USER_MAC_POLICY_LOAD; + case SELINUX_ERROR: + aut = AUDIT_USER_SELINUX_ERR; break; case SELINUX_AVC: aut = AUDIT_USER_AVC; break; default: - aut = AUDIT_USER_SELINUX_ERR; + /* Do not generate an audit event, just log normally. */ + aut = -1; break; } va_start(ap, fmt); vsnprintf(buf, MAX_AUDIT_MESSAGE_LENGTH, fmt, ap); - rc = audit_log_user_avc_message(audit_fd, aut, buf, NULL, NULL, NULL, 0); - (void) rc; va_end(ap); + + if (aut != -1) + (void) audit_log_user_avc_message(audit_fd, aut, buf, NULL, NULL, NULL, 0); LogMessageVerb(X_WARNING, 0, "%s", buf); return 0; } +static int +SELinuxPolicyLoad(int seqno) +{ + LogMessage(X_INFO, "SELinux: PolicyLoad (%d) detected, remapping security classes\n", seqno); + + if (selinux_set_mapping(map) < 0) { + if (errno == EINVAL) + ErrorF("SELinux: Invalid object class mapping\n"); + else + ErrorF("SELinux: Failed to set up security class mapping\n"); + } + + return 0; +} + /* * XACE Callbacks */ @@ -866,9 +883,9 @@ SELinuxFlaskInit(void) } /* Set up SELinux stuff */ - selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) SELinuxLog); - selinux_set_callback(SELINUX_CB_AUDIT, - (union selinux_callback) SELinuxAudit); + selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) { .func_log = SELinuxLog }); + selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback) { .func_audit = SELinuxAudit }); + selinux_set_callback(SELINUX_CB_POLICYLOAD, (union selinux_callback) { .func_policyload = SELinuxPolicyLoad }); if (selinux_set_mapping(map) < 0) { if (errno == EINVAL) {