RepoMirrors/selinux
1
0
Fork 0
mirror of https://github.com/SELinuxProject/selinux synced 2025-03-02 00:10:35 +00:00
Code Issues Packages Projects Releases Wiki Activity

Change audit2why to return constraint information on denial.

Browse Source 
This patch uses Richard Haines fixes in libsepol to help identify which
constraint is blocking access.  The end goal is helping policy writers
and administrators to diagnose issues with their policy.
This commit is contained in:
Dan Walsh 2013-10-28 10:09:55 -04:00 committed by Stephen Smalley
parent 9eefe11b3a
commit 6d0f111421
1 changed files with 8 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

9
libselinux/src/audit2why.c
View File

@ -299,6 +299,7 @@ static PyObject *init(PyObject *self __attribute__((unused)), PyObject *args) {
}
static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args) {
char *reason_buf = NULL;
security_context_t scon;
security_context_t tcon;
char *tclassstr;
@ -364,7 +365,7 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
}
/* Reproduce the computation. */
rc = sepol_compute_av_reason(ssid, tsid, tclass, av, &avd, &reason);
rc = sepol_compute_av_reason_buffer(ssid, tsid, tclass, av, &avd, &reason, &reason_buf, 0);
if (rc < 0)
RETURN(BADCOMPUTE)
@ -404,6 +405,12 @@ static PyObject *analyze(PyObject *self __attribute__((unused)) , PyObject *args
}
if (reason & SEPOL_COMPUTEAV_CONS) {
if (reason_buf) {
PyObject *result = NULL;
result = Py_BuildValue("is", CONSTRAINT, reason_buf);
free(reason_buf);
return result;
}
RETURN(CONSTRAINT)
}