linux_dsm_epyc7002/security/selinux
KaiGai Kohei 44c2d9bdd7 Add audit messages on type boundary violations
The attached patch adds support to generate audit messages on two cases.

The first one is a case when a multi-thread process tries to switch its
performing security context using setcon(3), but new security context is
not bounded by the old one.

  type=SELINUX_ERR msg=audit(1245311998.599:17):        \
      op=security_bounded_transition result=denied      \
      oldcontext=system_u:system_r:httpd_t:s0           \
      newcontext=system_u:system_r:guest_webapp_t:s0

The other one is a case when security_compute_av() masked any permissions
due to the type boundary violation.

  type=SELINUX_ERR msg=audit(1245312836.035:32):	\
      op=security_compute_av reason=bounds              \
      scontext=system_u:object_r:user_webapp_t:s0       \
      tcontext=system_u:object_r:shadow_t:s0:c0         \
      tclass=file perms=getattr,open

Signed-off-by: KaiGai Kohei <kaigai@ak.jp.nec.com>
Acked-by:  Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
2009-06-19 00:12:28 +10:00
..
include Add audit messages on type boundary violations 2009-06-19 00:12:28 +10:00
ss Add audit messages on type boundary violations 2009-06-19 00:12:28 +10:00
avc.c Add audit messages on type boundary violations 2009-06-19 00:12:28 +10:00
exports.c CRED: Wrap current->cred and a few other accessors 2008-11-14 10:39:18 +11:00
hooks.c selinux: Fix send_sigiotask hook 2009-05-05 08:31:03 +10:00
Kconfig selinux: Deprecate and schedule the removal of the the compat_net functionality 2008-12-31 12:54:11 -05:00
Makefile SELinux: Add network port SID cache 2008-04-18 20:26:16 +10:00
netif.c SELinux fixups needed for preemptable RCU from -rt 2008-04-22 15:37:23 +10:00
netlabel.c netlabel: Label incoming TCP connections correctly in SELinux 2009-03-28 15:01:36 +11:00
netlink.c SELinux: netlink.c whitespace, syntax, and static declaraction cleanups 2008-04-21 19:05:05 +10:00
netnode.c SELinux: keep the code clean formating and syntax 2008-07-14 15:01:36 +10:00
netport.c SELinux: keep the code clean formating and syntax 2008-07-14 15:01:36 +10:00
nlmsgtab.c SELinux: new permission between tty audit and audit socket 2009-03-06 08:50:21 +11:00
selinuxfs.c selinux: Remove the "compat_net" compatibility code 2009-03-28 15:01:37 +11:00
xfrm.c CRED: Wrap current->cred and a few other accessors 2008-11-14 10:39:18 +11:00