fdo-mirrors/xserver
1
0
Fork 0
mirror of https://gitlab.freedesktop.org/xorg/xserver.git synced 2025-12-28 15:40:08 +01:00
Code Issues Projects Releases Packages Wiki Activity Actions

Merge branch 'selinux' into 'master'

Browse source 
SELinux: remap security classes on policyload and update audit log type

See merge request xorg/xserver!801
This commit is contained in:
Christian Göttsche 2025-12-07 10:34:23 +00:00
commit e5922fd4ec
1 changed files with 26 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

35
Xext/xselinux_hooks.c
View file

@ -302,29 +302,46 @@ SELinuxLog(int type, const char *fmt, ...)
{ {
va_list ap; va_list ap;
char buf[MAX_AUDIT_MESSAGE_LENGTH]; char buf[MAX_AUDIT_MESSAGE_LENGTH];
int rc, aut; int aut;
switch (type) { switch (type) {
case SELINUX_INFO: case SELINUX_ERROR:
aut = AUDIT_USER_MAC_POLICY_LOAD; aut = AUDIT_USER_SELINUX_ERR;
break; break;
case SELINUX_AVC: case SELINUX_AVC:
aut = AUDIT_USER_AVC; aut = AUDIT_USER_AVC;
break; break;
default: default:
aut = AUDIT_USER_SELINUX_ERR; /* Do not generate an audit event, just log normally. */
aut = -1;
break; break;
} }
va_start(ap, fmt); va_start(ap, fmt);
vsnprintf(buf, MAX_AUDIT_MESSAGE_LENGTH, fmt, ap); vsnprintf(buf, MAX_AUDIT_MESSAGE_LENGTH, fmt, ap);
rc = audit_log_user_avc_message(audit_fd, aut, buf, NULL, NULL, NULL, 0);
(void) rc;
va_end(ap); va_end(ap);
if (aut != -1)
(void) audit_log_user_avc_message(audit_fd, aut, buf, NULL, NULL, NULL, 0);
LogMessageVerb(X_WARNING, 0, "%s", buf); LogMessageVerb(X_WARNING, 0, "%s", buf);
return 0; return 0;
} }
static int
SELinuxPolicyLoad(int seqno)
{
LogMessage(X_INFO, "SELinux: PolicyLoad (%d) detected, remapping security classes\n", seqno);
if (selinux_set_mapping(map) < 0) {
if (errno == EINVAL)
ErrorF("SELinux: Invalid object class mapping\n");
else
ErrorF("SELinux: Failed to set up security class mapping\n");
}
return 0;
}
/* /*
* XACE Callbacks * XACE Callbacks
*/ */
@ -866,9 +883,9 @@ SELinuxFlaskInit(void)
} }
/* Set up SELinux stuff */ /* Set up SELinux stuff */
selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) SELinuxLog); selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) { .func_log = SELinuxLog });
selinux_set_callback(SELINUX_CB_AUDIT, selinux_set_callback(SELINUX_CB_AUDIT, (union selinux_callback) { .func_audit = SELinuxAudit });
(union selinux_callback) SELinuxAudit); selinux_set_callback(SELINUX_CB_POLICYLOAD, (union selinux_callback) { .func_policyload = SELinuxPolicyLoad });
if (selinux_set_mapping(map) < 0) { if (selinux_set_mapping(map) < 0) {
if (errno == EINVAL) { if (errno == EINVAL) {