mirror of
https://github.com/postgres/postgres.git
synced 2025-07-27 12:41:57 +03:00
Include permissive/enforcing state in sepgsql log messages.
SELinux itself does this (at least in modern releases), and it seems like a good idea to reduce confusion. Dave Page Discussion: https://postgr.es/m/CA+OCxowsQoLEYc=jN7OtNvOdX0Jg5L7nMYt++=k0X78HGq-sXg@mail.gmail.com
This commit is contained in:
@ -676,6 +676,7 @@ sepgsql_getenforce(void)
|
||||
*/
|
||||
void
|
||||
sepgsql_audit_log(bool denied,
|
||||
bool enforcing,
|
||||
const char *scontext,
|
||||
const char *tcontext,
|
||||
uint16 tclass,
|
||||
@ -713,6 +714,11 @@ sepgsql_audit_log(bool denied,
|
||||
if (audit_name)
|
||||
appendStringInfo(&buf, " name=\"%s\"", audit_name);
|
||||
|
||||
if (enforcing)
|
||||
appendStringInfoString(&buf, " permissive=0");
|
||||
else
|
||||
appendStringInfoString(&buf, " permissive=1");
|
||||
|
||||
ereport(LOG, (errmsg("SELinux: %s", buf.data)));
|
||||
}
|
||||
|
||||
@ -907,6 +913,7 @@ sepgsql_check_perms(const char *scontext,
|
||||
uint32 denied;
|
||||
uint32 audited;
|
||||
bool result = true;
|
||||
bool enforcing;
|
||||
|
||||
sepgsql_compute_avd(scontext, tcontext, tclass, &avd);
|
||||
|
||||
@ -918,9 +925,10 @@ sepgsql_check_perms(const char *scontext,
|
||||
audited = (denied ? (denied & avd.auditdeny)
|
||||
: (required & avd.auditallow));
|
||||
|
||||
if (denied &&
|
||||
sepgsql_getenforce() > 0 &&
|
||||
(avd.flags & SELINUX_AVD_FLAGS_PERMISSIVE) == 0)
|
||||
enforcing = sepgsql_getenforce() > 0 &&
|
||||
(avd.flags & SELINUX_AVD_FLAGS_PERMISSIVE) == 0;
|
||||
|
||||
if (denied && enforcing)
|
||||
result = false;
|
||||
|
||||
/*
|
||||
@ -930,6 +938,7 @@ sepgsql_check_perms(const char *scontext,
|
||||
if (audited && sepgsql_mode != SEPGSQL_MODE_INTERNAL)
|
||||
{
|
||||
sepgsql_audit_log(denied,
|
||||
enforcing,
|
||||
scontext,
|
||||
tcontext,
|
||||
tclass,
|
||||
|
Reference in New Issue
Block a user