On Mon, Apr 9, 2018 at 7:36 PM, Richard Guy Briggs
<rgb(a)redhat.com> wrote:
> The audit MAC_POLICY_LOAD record had redundant dangling keywords and was
> missing information about which LSM was responsible and its completion
> status. While this record is only issued on success, the parser expects
> the res= field to be present.
>
> Old record:
> type=MAC_POLICY_LOAD msg=audit(1479299795.404:43): policy loaded auid=0 ses=1
>
> Delete the redundant dangling keywords, add the lsm= field and the res=
> field.
>
> New record:
> type=MAC_POLICY_LOAD msg=audit(1523293846.204:894): auid=0 ses=1 lsm=selinux res=1
>
> See:
https://github.com/linux-audit/audit-kernel/issues/47
> Signed-off-by: Richard Guy Briggs <rgb(a)redhat.com>
> ---
> security/selinux/selinuxfs.c | 2 +-
> 1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
> index 00b21b2..496915a 100644
> --- a/security/selinux/selinuxfs.c
> +++ b/security/selinux/selinuxfs.c
> @@ -531,7 +531,7 @@ static ssize_t sel_write_load(struct file *file, const char
__user *buf,
>
> out1:
> audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
> - "policy loaded auid=%u ses=%u",
> + "auid=%u ses=%u lsm=selinux res=1",
This is another case of NACK on principle, but I think we can make an
exception in this particular case.
Also like the other patch, this will need to wait for the merge window
to close before I can merge it.
> from_kuid(&init_user_ns,
audit_get_loginuid(current)),
> audit_get_sessionid(current));
> out:
> --
> 1.8.3.1