On Tuesday 06 December 2005 14:59, Timothy R. Chavez wrote: details, details,... :) Attached is a patch that hardwires important SE Linux events to the audit system. Please Apply. Signed-off-by: Steve Grubb <sgrubb(a)redhat.com&gt; diff -urp linux-2.6.14.orig/include/linux/audit.h linux-2.6.14/include/linux/audit.h --- linux-2.6.14.orig/include/linux/audit.h 2005-12-06 15:18:10.000000000 -0500 +++ linux-2.6.14/include/linux/audit.h 2005-12-06 15:23:33.000000000 -0500 @@ -83,6 +83,9 @@ #define AUDIT_AVC 1400 /* SE Linux avc denial or grant */ #define AUDIT_SELINUX_ERR 1401 /* Internal SE Linux Errors */ #define AUDIT_AVC_PATH 1402 /* dentry, vfsmount pair from avc */ +#define AUDIT_MAC_POLICY_LOAD 1403 /* Policy file load */ +#define AUDIT_MAC_STATUS 1404 /* Changed enforcing,permissive,off */ +#define AUDIT_MAC_CONFIG_CHANGE 1405 /* Changes to booleans */ #define AUDIT_KERNEL 2000 /* Asynchronous audit record. NOT A REQUEST. */ diff -urp linux-2.6.14.orig/security/selinux/selinuxfs.c linux-2.6.14/security/selinux/selinuxfs.c --- linux-2.6.14.orig/security/selinux/selinuxfs.c 2005-12-06 15:18:20.000000000 -0500 +++ linux-2.6.14/security/selinux/selinuxfs.c 2005-12-06 15:23:55.000000000 -0500 @@ -21,6 +21,7 @@ #include <linux/major.h> #include <linux/seq_file.h> #include <linux/percpu.h> +#include <linux/audit.h> #include <asm/uaccess.h> #include <asm/semaphore.h> @@ -126,6 +127,10 @@ static ssize_t sel_write_enforce(struct length = task_has_security(current, SECURITY__SETENFORCE); if (length) goto out; + audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS, + "enforcing=%d old_enforcing=%d auid=%u", new_value, + selinux_enforcing, + audit_get_loginuid(current->audit_context)); selinux_enforcing = new_value; if (selinux_enforcing) avc_ss_reset(0); @@ -176,6 +181,9 @@ static ssize_t sel_write_disable(struct length = selinux_disable(); if (length < 0) goto out; + audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS, + "selinux=0 auid=%u", + audit_get_loginuid(current->audit_context)); } length = count; @@ -261,6 +269,9 @@ static ssize_t sel_write_load(struct fil length = ret; else length = count; + audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD, + "policy loaded auid=%u", + audit_get_loginuid(current->audit_context)); out: up(&sel_sem); vfree(data); diff -urp linux-2.6.14.orig/security/selinux/ss/services.c linux-2.6.14/security/selinux/ss/services.c --- linux-2.6.14.orig/security/selinux/ss/services.c 2005-12-06 15:18:20.000000000 -0500 +++ linux-2.6.14/security/selinux/ss/services.c 2005-12-06 15:23:33.000000000 -0500 @@ -1758,19 +1758,22 @@ int security_set_bools(int len, int *val goto out; } - printk(KERN_INFO "security: committed booleans { "); for (i = 0; i < len; i++) { + if (!!values[i] != policydb.bool_val_to_struct[i]->state) { + audit_log(current->audit_context, GFP_ATOMIC, + AUDIT_MAC_CONFIG_CHANGE, + "bool=%s val=%d old_val=%d auid=%u", + policydb.p_bool_val_to_name[i], + !!values[i], + policydb.bool_val_to_struct[i]->state, + audit_get_loginuid(current->audit_context)); + } if (values[i]) { policydb.bool_val_to_struct[i]->state = 1; } else { policydb.bool_val_to_struct[i]->state = 0; } - if (i != 0) - printk(", "); - printk("%s:%d", policydb.p_bool_val_to_name[i], - policydb.bool_val_to_struct[i]->state); } - printk(" }\n"); for (cur = policydb.cond_list; cur != NULL; cur = cur->next) { rc = evaluate_cond_node(&policydb, cur);