1
0
mirror of https://github.com/postgres/postgres.git synced 2025-07-27 12:41:57 +03:00

Include permissive/enforcing state in sepgsql log messages.

SELinux itself does this (at least in modern releases), and it
seems like a good idea to reduce confusion.

Dave Page

Discussion: https://postgr.es/m/CA+OCxowsQoLEYc=jN7OtNvOdX0Jg5L7nMYt++=k0X78HGq-sXg@mail.gmail.com
This commit is contained in:
Tom Lane
2022-01-12 14:23:13 -05:00
parent a18b6d2dc2
commit 134d974636
7 changed files with 649 additions and 638 deletions

View File

@ -676,6 +676,7 @@ sepgsql_getenforce(void)
*/
void
sepgsql_audit_log(bool denied,
bool enforcing,
const char *scontext,
const char *tcontext,
uint16 tclass,
@ -713,6 +714,11 @@ sepgsql_audit_log(bool denied,
if (audit_name)
appendStringInfo(&buf, " name=\"%s\"", audit_name);
if (enforcing)
appendStringInfoString(&buf, " permissive=0");
else
appendStringInfoString(&buf, " permissive=1");
ereport(LOG, (errmsg("SELinux: %s", buf.data)));
}
@ -907,6 +913,7 @@ sepgsql_check_perms(const char *scontext,
uint32 denied;
uint32 audited;
bool result = true;
bool enforcing;
sepgsql_compute_avd(scontext, tcontext, tclass, &avd);
@ -918,9 +925,10 @@ sepgsql_check_perms(const char *scontext,
audited = (denied ? (denied & avd.auditdeny)
: (required & avd.auditallow));
if (denied &&
sepgsql_getenforce() > 0 &&
(avd.flags & SELINUX_AVD_FLAGS_PERMISSIVE) == 0)
enforcing = sepgsql_getenforce() > 0 &&
(avd.flags & SELINUX_AVD_FLAGS_PERMISSIVE) == 0;
if (denied && enforcing)
result = false;
/*
@ -930,6 +938,7 @@ sepgsql_check_perms(const char *scontext,
if (audited && sepgsql_mode != SEPGSQL_MODE_INTERNAL)
{
sepgsql_audit_log(denied,
enforcing,
scontext,
tcontext,
tclass,