Received: by 10.213.65.68 with SMTP id h4csp3216839imn;
        Mon, 9 Apr 2018 16:44:18 -0700 (PDT)
X-Google-Smtp-Source: AIpwx4/2OnNPk4YpP/Bg1IQqAEU+RQ/l+d/sipP4h+OqzyV0gfvSvZ6Ta39DVQN1hsRGMaJssXcw
X-Received: by 2002:a17:902:778e:: with SMTP id o14-v6mr1345141pll.294.1523317458475;
        Mon, 09 Apr 2018 16:44:18 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1523317458; cv=none;
        d=google.com; s=arc-20160816;
        b=Ctig9cv0X9H4gikzKWiykyERL+5nMj1PJk3EUJLxXKys7i48qE+potLYOfi6D59c+5
         B+wv0DA1dSqfmY/ths8hHAgF+fjxxDjyHIGC90JQu10FwWtp1YRkoVeIt0fEZnqDNHRf
         k2EcdXvc9lM4JNOkdL96af1KPoSeBwQESsmuEC9ouaMieSguRZzRa3n2EOu4vaTPP8Q8
         bpob29VKSu0thyBUeWXZNLMSa4EWBE6piEUxPhcJ6B4zzi9SrOpil+wR0ydkdErP+0y/
         kE9cbHuUzRJ/wto8TjwlhgmdXXM42mi6b/qYAY0gBvjDbcwhB90OPLOUzb9dXeTAMxRU
         d/8Q==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:message-id:date:subject:cc:to:from
         :arc-authentication-results;
        bh=oP1ER48v3nvf7pTe4CbOi1QdXoHK0opwEE6de1DLVpc=;
        b=TeeFYUh/w5SSPHO4GLtbe0hxy3DfY4hsPKROMMr5+vWnkdH47EiZo/aEFo/ZnnIuHX
         po3JoNBBkI/QFLGvvb8m2muLVks7gmdwLgwNSQwZuLCjrYviNz7BxIvUa4sLX/OaKZU2
         I87yMBpT4GTbiPuhLZizAyHmcY0eZ43ilvBBi5jULtzg9f9HJy90RB4MXP7MnMTEl0gO
         IDHHxn43Hbx+0HXCNCrndkyiTXnms4dGsGEAuj3sCPALYsy3jTNujG2KhsO5ALNblL8i
         ZieAitcCJ3Q+Wus4KJ4Sbvhny1HCCT3A53D3IknH5nGbTnpkhmRsPF2/s1/0jchbVtbf
         C/jA==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id d2-v6si1459260pln.533.2018.04.09.16.43.40;
        Mon, 09 Apr 2018 16:44:18 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org;
       dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=redhat.com
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1752369AbeDIXkl (ORCPT <rfc822;ahaning.tech@gmail.com>
        + 99 others); Mon, 9 Apr 2018 19:40:41 -0400
Received: from mx3-rdu2.redhat.com ([66.187.233.73]:58882 "EHLO mx1.redhat.com"
        rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP
        id S1752295AbeDIXkj (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Mon, 9 Apr 2018 19:40:39 -0400
Received: from smtp.corp.redhat.com (int-mx03.intmail.prod.int.rdu2.redhat.com [10.11.54.3])
        (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits))
        (No client certificate requested)
        by mx1.redhat.com (Postfix) with ESMTPS id 37D9240201A3;
        Mon,  9 Apr 2018 23:40:39 +0000 (UTC)
Received: from madcap2.tricolour.ca (ovpn-112-12.rdu2.redhat.com [10.10.112.12])
        by smtp.corp.redhat.com (Postfix) with ESMTP id C986E1142373;
        Mon,  9 Apr 2018 23:40:33 +0000 (UTC)
From:   Richard Guy Briggs <rgb@redhat.com>
To:     Linux-Audit Mailing List <linux-audit@redhat.com>,
        LKML <linux-kernel@vger.kernel.org>,
        SElinux list <selinux@tycho.nsa.gov>,
        Linux Security Module list 
        <linux-security-module@vger.kernel.org>
Cc:     Eric Paris <eparis@redhat.com>, Paul Moore <paul@paul-moore.com>,
        Steve Grubb <sgrubb@redhat.com>,
        Richard Guy Briggs <rgb@redhat.com>
Subject: [PATCH ghak46 V1] audit: normalize MAC_STATUS record
Date:   Mon,  9 Apr 2018 19:34:22 -0400
Message-Id: <6b939250a519668af109adf877d85ff018b217d7.1523316267.git.rgb@redhat.com>
X-Scanned-By: MIMEDefang 2.78 on 10.11.54.3
X-Greylist: Sender IP whitelisted, not delayed by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Mon, 09 Apr 2018 23:40:39 +0000 (UTC)
X-Greylist: inspected by milter-greylist-4.5.16 (mx1.redhat.com [10.11.55.6]); Mon, 09 Apr 2018 23:40:39 +0000 (UTC) for IP:'10.11.54.3' DOMAIN:'int-mx03.intmail.prod.int.rdu2.redhat.com' HELO:'smtp.corp.redhat.com' FROM:'rgb@redhat.com' RCPT:''
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

There were two formats of the audit MAC_STATUS record, one of which was more
standard than the other.  One listed enforcing status changes and the
other listed enabled status changes with a non-standard label.  In
addition, the record was missing information about which LSM was
responsible and the operation's completion status.  While this record is
only issued on success, the parser expects the res= field to be present.

old enforcing/permissive:
type=MAC_STATUS msg=audit(1523312831.378:24514): enforcing=0 old_enforcing=1 auid=0 ses=1
old enable/disable:
type=MAC_STATUS msg=audit(1523312831.378:24514): selinux=0 auid=0 ses=1

List both sets of status and old values and add the lsm= field and the
res= field.

Here is the new format:
type=MAC_STATUS msg=audit(1523293828.657:891): enforcing=0 old_enforcing=1 auid=0 ses=1 enabled=1 old-enabled=1 lsm=selinux res=1

This record already accompanied a SYSCALL record.

See: https://github.com/linux-audit/audit-kernel/issues/46
Signed-off-by: Richard Guy Briggs <rgb@redhat.com>
---
 security/selinux/selinuxfs.c | 11 +++++++----
 1 file changed, 7 insertions(+), 4 deletions(-)

diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 00eed84..00b21b2 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -145,10 +145,11 @@ static ssize_t sel_write_enforce(struct file *file, const char __user *buf,
 		if (length)
 			goto out;
 		audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
-			"enforcing=%d old_enforcing=%d auid=%u ses=%u",
+			"enforcing=%d old_enforcing=%d auid=%u ses=%u"
+			" enabled=%d old-enabled=%d lsm=selinux res=1",
 			new_value, selinux_enforcing,
 			from_kuid(&init_user_ns, audit_get_loginuid(current)),
-			audit_get_sessionid(current));
+			audit_get_sessionid(current), selinux_enabled, selinux_enabled);
 		selinux_enforcing = new_value;
 		if (selinux_enforcing)
 			avc_ss_reset(0);
@@ -272,9 +273,11 @@ static ssize_t sel_write_disable(struct file *file, const char __user *buf,
 		if (length)
 			goto out;
 		audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_STATUS,
-			"selinux=0 auid=%u ses=%u",
+			"enforcing=%d old_enforcing=%d auid=%u ses=%u"
+			" enabled=%d old-enabled=%d lsm=selinux res=1",
+			selinux_enforcing, selinux_enforcing,
 			from_kuid(&init_user_ns, audit_get_loginuid(current)),
-			audit_get_sessionid(current));
+			audit_get_sessionid(current), 0, 1);
 	}
 
 	length = count;
-- 
1.8.3.1