bus/selinux: Fix audit message types.

The SELinux log callback includes a message type. Not all messages are
auditable and those that are have varying audit types. An audit message is
a security-relevant event: security state changes, MAC permission denied,
etc.  A message that is auditable is not necessarily sensitive.  Messages
that are not auditable are not security-relevant, like messages about
socket polling errors.  Update the auditing accordingly.

If the message is not auditable, fall through and write it to syslog.

Signed-off-by: Chris PeBenito <chpebeni@linux.microsoft.com>

1 files changed, 27 insertions, 3 deletions

diff --git a/bus/selinux.c b/bus/selinux.c
index 7e63348c..42017e7a 100644
--- a/bus/selinux.c
+++ b/bus/selinux.c
@@ -96,7 +96,7 @@ log_callback (int type, const char *fmt, ...)
 {
   va_list ap;
 #ifdef HAVE_LIBAUDIT
-  int audit_fd;
+  int audit_fd, audit_type;
 #endif
 
   va_start(ap, fmt);
@@ -114,9 +114,33 @@ log_callback (int type, const char *fmt, ...)
 
     /* FIXME: need to change this to show real user */
     vsnprintf(buf, sizeof(buf), fmt, ap);
-    audit_log_user_avc_message(audit_fd, AUDIT_USER_AVC, buf, NULL, NULL,
+
+    switch (type)
+      {
+      case SELINUX_AVC:
+        audit_type = AUDIT_USER_AVC;
+        break;
+#if defined(SELINUX_POLICYLOAD) && defined(AUDIT_USER_MAC_POLICY_LOAD)
+      case SELINUX_POLICYLOAD:
+        audit_type = AUDIT_USER_MAC_POLICY_LOAD;
+        break;
+#endif
+#if defined(SELINUX_SETENFORCE) && defined(AUDIT_USER_MAC_STATUS)
+      case SELINUX_SETENFORCE:
+        audit_type = AUDIT_USER_MAC_STATUS;
+        break;
+#endif
+      default:
+        /* Not auditable */
+        audit_type = 0;
+        break;
+      }
+
+    if (audit_type > 0) {
+      audit_log_user_avc_message(audit_fd, audit_type, buf, NULL, NULL,
                              NULL, getuid());
-    goto out;
+      goto out;
+    }
   }
 #endif /* HAVE_LIBAUDIT */