Skip to content

util/audit: Correct usage of audit logging functions #388

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
wants to merge 1 commit into
base: main
Choose a base branch
from
Open

util/audit: Correct usage of audit logging functions #388

wants to merge 1 commit into from

Conversation

Cropi
Copy link

@Cropi Cropi commented Mar 26, 2025
edited
Loading

Update util_audit_log to use audit_log_user_message for UTIL_AUDIT_TYPE_POLICYLOAD and UTIL_AUDIT_TYPE_MAC_STATUS, and audit_log_user_avc_message for UTIL_AUDIT_TYPE_AVC. The result parameter is now passed to audit_log_user_message, set to 1 by default.

This change ensures proper argument order for ausearch utility as discussed in linux-audit/audit-userspace#394.

Fixes #387

@Cropi
util/audit: Correct usage of audit logging functions
beffdee 
Update util_audit_log to use audit_log_user_message for
UTIL_AUDIT_TYPE_POLICYLOAD and UTIL_AUDIT_TYPE_MAC_STATUS, and
audit_log_user_avc_message for UTIL_AUDIT_TYPE_AVC. The result parameter
is now passed to audit_log_user_message, set to 1 by default.

This change ensures proper argument order for ausearch utility as
discussed in linux-audit/audit-userspace#394.
dvdhrm
dvdhrm approved these changes Apr 25, 2025
View reviewed changes
Copy link
Member

@dvdhrm dvdhrm left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yeah, looks correct. Thanks a lot for the fix!

src/util/audit.c
r = audit_log_user_avc_message(audit_fd, audit_type, message, NULL, NULL, NULL, uid);
} else {
r = audit_log_user_message(audit_fd, audit_type, message, NULL, NULL, NULL, 1);
}
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Why are there two functions exposed by libaudit, anyway? Why doesn't audit_log_user_avc_message() just check whether the passed type is other than AUDIT_USER_AVC (or related AVC types), and then forward to audit_log_user_message()?

Copy link
Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Perfectly valid question, I believe it's for historical reasons. The implementation of both functions is very similar but they provide a slightly different output. Documentation says:

  • audit_log_user_avc_message This function should be used by all apps that are SELinux object managers.
  • audit_log_user_message This function should be used by all console apps that do not manipulate accounts or groups.

Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Btw., can you elaborate on the last argument to audit_log_user_message? The man-page is not very helpful. I guess this is about whether this is an audit-message about a successful / expected operation, or whether this is about a failed / unexpected operation?

I think passing 1 unconditionally might not be right here, though.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@dvdhrm dvdhrm dvdhrm approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

util_audit_log should create valid audit records
2 participants
@Cropi @dvdhrm