audit: log permissive from access decision

The userspace object managers were missing the permissive=0|1 as found in the kernel logs. This is important when debugging potential policy issues. To remedy this, add the permissive result from the access decision at the end of the audit logs. A shortened log sample from Android: avc: denied { find } <snip> tclass=service_manager permissive=1 Change-Id: Ic92852f3bad258982d8f68dc93d978612a52db04 Signed-off-by: William Roberts <william.c.roberts@intel.com>
author: William Roberts <william.c.roberts@intel.com> 2015-10-05 12:31:03 -0700
committer: William Roberts <william.c.roberts@intel.com> 2015-10-06 11:59:56 -0700
commit: c49a2755ee3b6a32347e69856116ec7b32e7c5a6 (patch)
tree: 5c5fc355d04d03775d5181a02d60590ba908f76b
parent: 87ceb1e29e97a79091b51936c12f1f82d5a328d0 (diff)
download: libselinux-c49a2755ee3b6a32347e69856116ec7b32e7c5a6.tar.gz
1 files changed, 5 insertions, 0 deletions
diff --git a/src/avc.c b/src/avc.c
index 15167f0..528d897 100644
--- a/src/avc.c
+++ b/src/avc.c
@@ -683,6 +683,11 @@ void avc_audit(security_id_t ssid, security_id_t tsid,
 
 	log_append(avc_audit_buf, " ");
 	avc_dump_query(ssid, tsid, tclass);
+
+	/* append permissive=0|1 like the kernel at the end */
+	if (denied || !requested)
+		log_append(avc_audit_buf, " permissive=%d", !result);
+
 	log_append(avc_audit_buf, "\n");
 	avc_log(SELINUX_AVC, "%s", avc_audit_buf);
author	William Roberts <william.c.roberts@intel.com>	2015-10-05 12:31:03 -0700
committer	William Roberts <william.c.roberts@intel.com>	2015-10-06 11:59:56 -0700
commit	c49a2755ee3b6a32347e69856116ec7b32e7c5a6 (patch)
tree	5c5fc355d04d03775d5181a02d60590ba908f76b
parent	87ceb1e29e97a79091b51936c12f1f82d5a328d0 (diff)
download	libselinux-c49a2755ee3b6a32347e69856116ec7b32e7c5a6.tar.gz