44c2d9bdd7
The attached patch adds support to generate audit messages on two cases. The first one is a case when a multi-thread process tries to switch its performing security context using setcon(3), but new security context is not bounded by the old one. type=SELINUX_ERR msg=audit(1245311998.599:17): \ op=security_bounded_transition result=denied \ oldcontext=system_u:system_r:httpd_t:s0 \ newcontext=system_u:system_r:guest_webapp_t:s0 The other one is a case when security_compute_av() masked any permissions due to the type boundary violation. type=SELINUX_ERR msg=audit(1245312836.035:32): \ op=security_compute_av reason=bounds \ scontext=system_u:object_r:user_webapp_t:s0 \ tcontext=system_u:object_r:shadow_t:s0:c0 \ tclass=file perms=getattr,open Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org> |
||
---|---|---|
.. | ||
audit.h | ||
av_inherit.h | ||
av_perm_to_string.h | ||
av_permissions.h | ||
avc_ss.h | ||
avc.h | ||
class_to_string.h | ||
common_perm_to_string.h | ||
conditional.h | ||
flask.h | ||
initial_sid_to_string.h | ||
netif.h | ||
netlabel.h | ||
netnode.h | ||
netport.h | ||
objsec.h | ||
security.h | ||
xfrm.h |