You can not select more than 25 topics
Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
79 lines
2.3 KiB
79 lines
2.3 KiB
2 years ago
|
From 96888e99c5103d9dea5230c917b946732de2d302 Mon Sep 17 00:00:00 2001
|
||
|
From: Panu Matilainen <pmatilai@redhat.com>
|
||
|
Date: Thu, 22 Sep 2022 11:54:47 +0300
|
||
|
Subject: [PATCH] Add a handler for libselinux log messages (RhBug:2123719,
|
||
|
RhBug:2050774)
|
||
|
|
||
|
libselinux logs to stderr by default, which up to now has been just fine
|
||
|
with us. However somewhere around libselinux 3.2 it begun issuing
|
||
|
log messages for events discovered in selinux_status_updated().
|
||
|
We only call that to see whether the status *was* updated behind our
|
||
|
back and are not interested in these audit-style messages for our
|
||
|
functionality, but to suppress them while preserving actually relevant
|
||
|
errors and warnings, we need to have a log callback of our own. Might as
|
||
|
well forward them to rpmlog then.
|
||
|
|
||
|
SELINUX_ERROR and SELINUX_WARNING are pretty obvious, of SELINUX_AVC
|
||
|
selinux_set_callback(3) says it should be treated as SELINUX_ERROR if
|
||
|
not audited. The rest we suppress to debug messages, they may be handy
|
||
|
for diagnostics some day.
|
||
|
|
||
|
Note that this intentionally avoids explicit SELINUX_POLICYLOAD and
|
||
|
SELINUX_SETENFORCE cases in the switch: we don't want to introduce
|
||
|
libselinux >= 3.2 dependency just because of this silly thing.
|
||
|
---
|
||
|
plugins/selinux.c | 30 ++++++++++++++++++++++++++++++
|
||
|
1 file changed, 30 insertions(+)
|
||
|
|
||
|
diff --git a/plugins/selinux.c b/plugins/selinux.c
|
||
|
index 747f62d05..0f10331f0 100644
|
||
|
--- a/plugins/selinux.c
|
||
|
+++ b/plugins/selinux.c
|
||
|
@@ -18,6 +18,35 @@ static inline rpmlogLvl loglvl(int iserror)
|
||
|
return iserror ? RPMLOG_ERR : RPMLOG_DEBUG;
|
||
|
}
|
||
|
|
||
|
+static int logcb(int type, const char *fmt, ...)
|
||
|
+{
|
||
|
+ char *buf = NULL;
|
||
|
+ va_list ap;
|
||
|
+ int lvl;
|
||
|
+
|
||
|
+ switch (type) {
|
||
|
+ case SELINUX_ERROR:
|
||
|
+ case SELINUX_AVC:
|
||
|
+ lvl = RPMLOG_ERR;
|
||
|
+ break;
|
||
|
+ case SELINUX_WARNING:
|
||
|
+ lvl = RPMLOG_WARNING;
|
||
|
+ break;
|
||
|
+ default:
|
||
|
+ lvl = RPMLOG_DEBUG;
|
||
|
+ break;
|
||
|
+ }
|
||
|
+
|
||
|
+ va_start(ap, fmt);
|
||
|
+ rvasprintf(&buf, fmt, ap);
|
||
|
+ va_end(ap);
|
||
|
+
|
||
|
+ rpmlog(lvl, "libselinux: type %d: %s", type, buf);
|
||
|
+ free(buf);
|
||
|
+
|
||
|
+ return 0;
|
||
|
+}
|
||
|
+
|
||
|
static void sehandle_fini(int close_status)
|
||
|
{
|
||
|
if (sehandle) {
|
||
|
@@ -44,6 +73,7 @@ static rpmRC sehandle_init(int open_status)
|
||
|
if (selinux_status_open(0) < 0) {
|
||
|
return RPMRC_FAIL;
|
||
|
}
|
||
|
+ selinux_set_callback(SELINUX_CB_LOG, (union selinux_callback) &logcb);
|
||
|
} else if (!selinux_status_updated() && sehandle) {
|
||
|
return RPMRC_OK;
|
||
|
}
|
||
|
--
|
||
|
2.38.1
|
||
|
|