diff options
author | William Roberts <william.c.roberts@intel.com> | 2015-10-05 12:31:03 -0700 |
---|---|---|
committer | William Roberts <william.c.roberts@intel.com> | 2015-10-06 11:59:56 -0700 |
commit | c49a2755ee3b6a32347e69856116ec7b32e7c5a6 (patch) | |
tree | 5c5fc355d04d03775d5181a02d60590ba908f76b | |
parent | 87ceb1e29e97a79091b51936c12f1f82d5a328d0 (diff) | |
download | libselinux-c49a2755ee3b6a32347e69856116ec7b32e7c5a6.tar.gz |
audit: log permissive from access decision
The userspace object managers were missing the permissive=0|1 as found in the
kernel logs. This is important when debugging potential policy issues.
To remedy this, add the permissive result from the access decision at the
end of the audit logs. A shortened log sample from Android:
avc: denied { find } <snip> tclass=service_manager permissive=1
Change-Id: Ic92852f3bad258982d8f68dc93d978612a52db04
Signed-off-by: William Roberts <william.c.roberts@intel.com>
-rw-r--r-- | src/avc.c | 5 |
1 files changed, 5 insertions, 0 deletions
@@ -683,6 +683,11 @@ void avc_audit(security_id_t ssid, security_id_t tsid, log_append(avc_audit_buf, " "); avc_dump_query(ssid, tsid, tclass); + + /* append permissive=0|1 like the kernel at the end */ + if (denied || !requested) + log_append(avc_audit_buf, " permissive=%d", !result); + log_append(avc_audit_buf, "\n"); avc_log(SELINUX_AVC, "%s", avc_audit_buf); |