diff options
author | Todd C. Miller <Todd.Miller@courtesan.com> | 2014-07-12 10:04:19 -0600 |
---|---|---|
committer | Todd C. Miller <Todd.Miller@courtesan.com> | 2014-07-12 10:04:19 -0600 |
commit | 466cc85b335b212d829fcaa6718dcef358cfe3c9 (patch) | |
tree | fecb8673b659b5d7f747da2f17f19d0a8d226853 /src/selinux.c | |
parent | ef1da22d749166fbedcd345461c1137e1317074f (diff) | |
download | sudo-466cc85b335b212d829fcaa6718dcef358cfe3c9.tar.gz |
Audit failed user role changes. RedHat bz #665131
Diffstat (limited to 'src/selinux.c')
-rw-r--r-- | src/selinux.c | 13 |
1 files changed, 9 insertions, 4 deletions
diff --git a/src/selinux.c b/src/selinux.c index 4245fe46b..9e0983bc1 100644 --- a/src/selinux.c +++ b/src/selinux.c @@ -63,7 +63,7 @@ static struct selinux_state { #ifdef HAVE_LINUX_AUDIT static int audit_role_change(const security_context_t old_context, - const security_context_t new_context, const char *ttyn) + const security_context_t new_context, const char *ttyn, int result) { int au_fd, rc = -1; char *message; @@ -80,7 +80,7 @@ audit_role_change(const security_context_t old_context, sudo_easprintf(&message, "newrole: old-context=%s new-context=%s", old_context, new_context); rc = audit_log_user_message(au_fd, AUDIT_USER_ROLE_CHANGE, - message, NULL, NULL, ttyn, 1); + message, NULL, NULL, ttyn, result); if (rc <= 0) sudo_warn(U_("unable to send audit message")); sudo_efree(message); @@ -335,8 +335,13 @@ selinux_setup(const char *role, const char *type, const char *ttyn, sudo_warnx("your old context was %s", se_state.old_context); #endif se_state.new_context = get_exec_context(se_state.old_context, role, type); - if (!se_state.new_context) + if (!se_state.new_context) { +#ifdef HAVE_LINUX_AUDIT + audit_role_change(se_state.old_context, "?", + se_state.ttyn, 0); +#endif goto done; + } if (relabel_tty(ttyn, ptyfd) < 0) { sudo_warn(U_("unable to set tty context to %s"), se_state.new_context); @@ -352,7 +357,7 @@ selinux_setup(const char *role, const char *type, const char *ttyn, #ifdef HAVE_LINUX_AUDIT audit_role_change(se_state.old_context, se_state.new_context, - se_state.ttyn); + se_state.ttyn, 1); #endif rval = 0; |