diff options
Diffstat (limited to 'contrib/sepgsql/selinux.c')
| -rw-r--r-- | contrib/sepgsql/selinux.c | 15 |
1 files changed, 12 insertions, 3 deletions
diff --git a/contrib/sepgsql/selinux.c b/contrib/sepgsql/selinux.c index 6056e225d1d..4fe30465d74 100644 --- a/contrib/sepgsql/selinux.c +++ b/contrib/sepgsql/selinux.c @@ -676,6 +676,7 @@ sepgsql_getenforce(void) */ void sepgsql_audit_log(bool denied, + bool enforcing, const char *scontext, const char *tcontext, uint16 tclass, @@ -713,6 +714,11 @@ sepgsql_audit_log(bool denied, if (audit_name) appendStringInfo(&buf, " name=\"%s\"", audit_name); + if (enforcing) + appendStringInfoString(&buf, " permissive=0"); + else + appendStringInfoString(&buf, " permissive=1"); + ereport(LOG, (errmsg("SELinux: %s", buf.data))); } @@ -907,6 +913,7 @@ sepgsql_check_perms(const char *scontext, uint32 denied; uint32 audited; bool result = true; + bool enforcing; sepgsql_compute_avd(scontext, tcontext, tclass, &avd); @@ -918,9 +925,10 @@ sepgsql_check_perms(const char *scontext, audited = (denied ? (denied & avd.auditdeny) : (required & avd.auditallow)); - if (denied && - sepgsql_getenforce() > 0 && - (avd.flags & SELINUX_AVD_FLAGS_PERMISSIVE) == 0) + enforcing = sepgsql_getenforce() > 0 && + (avd.flags & SELINUX_AVD_FLAGS_PERMISSIVE) == 0; + + if (denied && enforcing) result = false; /* @@ -930,6 +938,7 @@ sepgsql_check_perms(const char *scontext, if (audited && sepgsql_mode != SEPGSQL_MODE_INTERNAL) { sepgsql_audit_log(denied, + enforcing, scontext, tcontext, tclass, |