diff options
| author | KaiGai Kohei <[email protected]> | 2009-06-18 17:26:13 +0900 |
|---|---|---|
| committer | James Morris <[email protected]> | 2009-06-19 00:12:28 +1000 |
| commit | 44c2d9bdd7022ca7d240d5adc009296fc1c6ce08 (patch) | |
| tree | 33115ee8d7e167d2a26558c2af8e0edfdca099d5 /scripts/stackusage | |
| parent | caabbdc07df4249f2ed516b2c3e2d6b0973bcbb3 (diff) | |
Add audit messages on type boundary violations
The attached patch adds support to generate audit messages on two cases.
The first one is a case when a multi-thread process tries to switch its
performing security context using setcon(3), but new security context is
not bounded by the old one.
type=SELINUX_ERR msg=audit(1245311998.599:17): \
op=security_bounded_transition result=denied \
oldcontext=system_u:system_r:httpd_t:s0 \
newcontext=system_u:system_r:guest_webapp_t:s0
The other one is a case when security_compute_av() masked any permissions
due to the type boundary violation.
type=SELINUX_ERR msg=audit(1245312836.035:32): \
op=security_compute_av reason=bounds \
scontext=system_u:object_r:user_webapp_t:s0 \
tcontext=system_u:object_r:shadow_t:s0:c0 \
tclass=file perms=getattr,open
Signed-off-by: KaiGai Kohei <[email protected]>
Acked-by: Stephen Smalley <[email protected]>
Signed-off-by: James Morris <[email protected]>
Diffstat (limited to 'scripts/stackusage')
0 files changed, 0 insertions, 0 deletions