Put a proper message type into each message logged by the userspace AVC. Currently, the message types are defined but not used. This will allow better separation of messages when logging to facilities such as libaudit. Signed-off-by: Eamon Walsh <ewalsh@tycho.nsa.gov>

commit: eee0f022e44ade05143eeee3748dd78fbd17966b [log] [tgz]
author: Eamon Walsh <ewalsh@tycho.nsa.gov> Fri Oct 31 10:20:33 2008 -0400
committer: Eamon Walsh <ewalsh@tycho.nsa.gov> Fri Oct 31 10:20:33 2008 -0400
tree: 8bc1e80e348aa94fe49954027acb66607cfd32ae
parent: 3d431ae08f5349b906879f7a6abd0e2bbd182e92 [diff]
diff --git a/libselinux/src/avc.c b/libselinux/src/avc.c
index ddc367c..899e074 100644
--- a/libselinux/src/avc.c
+++ b/libselinux/src/avc.c

@@ -199,13 +199,17 @@
 
 	rc = sidtab_init(&avc_sidtab);
 	if (rc) {
-		avc_log("%s:  unable to initialize SID table\n", avc_prefix);
+		avc_log(SELINUX_ERROR,
+			"%s:  unable to initialize SID table\n",
+			avc_prefix);
 		goto out;
 	}
 
 	avc_audit_buf = (char *)avc_malloc(AVC_AUDIT_BUFSIZE);
 	if (!avc_audit_buf) {
-		avc_log("%s:  unable to allocate audit buffer\n", avc_prefix);
+		avc_log(SELINUX_ERROR,
+			"%s:  unable to allocate audit buffer\n",
+			avc_prefix);
 		rc = -1;
 		goto out;
 	}
@@ -213,7 +217,8 @@
 	for (i = 0; i < AVC_CACHE_MAXNODES; i++) {
 		new = avc_malloc(sizeof(*new));
 		if (!new) {
-			avc_log("%s:  warning: only got %d av entries\n",
+			avc_log(SELINUX_WARNING,
+				"%s:  warning: only got %d av entries\n",
 				avc_prefix, i);
 			break;
 		}
@@ -225,7 +230,8 @@
 	if (!avc_setenforce) {
 		rc = security_getenforce();
 		if (rc < 0) {
-			avc_log("%s:  could not determine enforcing mode\n",
+			avc_log(SELINUX_ERROR,
+				"%s:  could not determine enforcing mode\n",
 				avc_prefix);
 			goto out;
 		}
@@ -234,8 +240,9 @@
 
 	rc = avc_netlink_open(avc_using_threads);
 	if (rc < 0) {
-		avc_log("%s:  can't open netlink socket: %d (%s)\n", avc_prefix,
-			errno, strerror(errno));
+		avc_log(SELINUX_ERROR,
+			"%s:  can't open netlink socket: %d (%s)\n",
+			avc_prefix, errno, strerror(errno));
 		goto out;
 	}
 	if (avc_using_threads) {
@@ -258,7 +265,7 @@
 	avc_get_lock(avc_lock);
 	sidtab_sid_stats(&avc_sidtab, avc_audit_buf, AVC_AUDIT_BUFSIZE);
 	avc_release_lock(avc_lock);
-	avc_log("%s", avc_audit_buf);
+	avc_log(SELINUX_INFO, "%s", avc_audit_buf);
 	avc_release_lock(avc_log_lock);
 }
 
@@ -287,7 +294,7 @@
 
 	avc_release_lock(avc_lock);
 
-	avc_log("%s:  %d AV entries and %d/%d buckets used, "
+	avc_log(SELINUX_INFO, "%s:  %d AV entries and %d/%d buckets used, "
 		"longest chain length %d\n", avc_prefix,
 		avc_cache.active_nodes,
 		slots_used, AVC_CACHE_SLOTS, max_chain_len);
@@ -463,7 +470,8 @@
 	int rc = 0;
 
 	if (ae->avd.seqno < avc_cache.latest_notif) {
-		avc_log("%s:  seqno %d < latest_notif %d\n", avc_prefix,
+		avc_log(SELINUX_WARNING,
+			"%s:  seqno %d < latest_notif %d\n", avc_prefix,
 			ae->avd.seqno, avc_cache.latest_notif);
 		errno = EAGAIN;
 		rc = -1;
@@ -665,7 +673,8 @@
 		toks -= AVC_MSG_COST;
 		avc_release_lock(ratelimit_lock);
 		if (lost) {
-			avc_log("%s:  %d messages suppressed.\n", avc_prefix,
+			avc_log(SELINUX_WARNING,
+				"%s:  %d messages suppressed.\n", avc_prefix,
 				lost);
 		}
 		rc = 1;
@@ -784,7 +793,7 @@
 	log_append(avc_audit_buf, " ");
 	avc_dump_query(ssid, tsid, tclass);
 	log_append(avc_audit_buf, "\n");
-	avc_log("%s", avc_audit_buf);
+	avc_log(SELINUX_AVC, "%s", avc_audit_buf);
 
 	avc_release_lock(avc_log_lock);
 }

diff --git a/libselinux/src/avc_internal.c b/libselinux/src/avc_internal.c
index b9e9db2..354d32e 100644
--- a/libselinux/src/avc_internal.c
+++ b/libselinux/src/avc_internal.c

@@ -103,26 +103,30 @@
 		return rc;
 
 	if (nladdrlen != sizeof nladdr) {
-		avc_log("%s:  warning: netlink address truncated, len %d?\n",
+		avc_log(SELINUX_WARNING,
+			"%s:  warning: netlink address truncated, len %d?\n",
 			avc_prefix, nladdrlen);
 		return -1;
 	}
 
 	if (nladdr.nl_pid) {
-		avc_log("%s:  warning: received spoofed netlink packet from: %d\n",
+		avc_log(SELINUX_WARNING,
+			"%s:  warning: received spoofed netlink packet from: %d\n",
 			avc_prefix, nladdr.nl_pid);
 		return -1;
 	}
 
 	if (rc == 0) {
-		avc_log("%s:  warning: received EOF on netlink socket\n",
+		avc_log(SELINUX_WARNING,
+			"%s:  warning: received EOF on netlink socket\n",
 			avc_prefix);
 		errno = EBADFD;
 		return -1;
 	}
 
 	if (nlh->nlmsg_flags & MSG_TRUNC || nlh->nlmsg_len > (unsigned)rc) {
-		avc_log("%s:  warning: incomplete netlink message\n",
+		avc_log(SELINUX_WARNING,
+			"%s:  warning: incomplete netlink message\n",
 			avc_prefix);
 		return -1;
 	}
@@ -144,19 +148,22 @@
 			break;
 
 		errno = -err->error;
-		avc_log("%s:  netlink error: %d\n", avc_prefix, errno);
+		avc_log(SELINUX_ERROR,
+			"%s:  netlink error: %d\n", avc_prefix, errno);
 		return -1;
 	}
 
 	case SELNL_MSG_SETENFORCE:{
 		struct selnl_msg_setenforce *msg = NLMSG_DATA(nlh);
-		avc_log("%s:  received setenforce notice (enforcing=%d)\n",
+		avc_log(SELINUX_INFO,
+			"%s:  received setenforce notice (enforcing=%d)\n",
 			avc_prefix, msg->val);
 		if (avc_setenforce)
 			break;
 		avc_enforcing = msg->val;
 		if (avc_enforcing && (rc = avc_ss_reset(0)) < 0) {
-			avc_log("%s:  cache reset returned %d (errno %d)\n",
+			avc_log(SELINUX_ERROR,
+				"%s:  cache reset returned %d (errno %d)\n",
 				avc_prefix, rc, errno);
 			return rc;
 		}
@@ -165,11 +172,13 @@
 
 	case SELNL_MSG_POLICYLOAD:{
 		struct selnl_msg_policyload *msg = NLMSG_DATA(nlh);
-		avc_log("%s:  received policyload notice (seqno=%d)\n",
+		avc_log(SELINUX_INFO,
+			"%s:  received policyload notice (seqno=%d)\n",
 			avc_prefix, msg->seqno);
 		rc = avc_ss_reset(msg->seqno);
 		if (rc < 0) {
-			avc_log("%s:  cache reset returned %d (errno %d)\n",
+			avc_log(SELINUX_ERROR,
+				"%s:  cache reset returned %d (errno %d)\n",
 				avc_prefix, rc, errno);
 			return rc;
 		}
@@ -177,7 +186,8 @@
 	}
 
 	default:
-		avc_log("%s:  warning: unknown netlink message %d\n",
+		avc_log(SELINUX_WARNING,
+			"%s:  warning: unknown netlink message %d\n",
 			avc_prefix, nlh->nlmsg_type);
 	}
 	return 0;
@@ -197,7 +207,8 @@
 			if (errno == 0 || errno == EINTR)
 				continue;
 			else {
-				avc_log("%s:  netlink recvfrom: error %d\n",
+				avc_log(SELINUX_ERROR,
+					"%s:  netlink recvfrom: error %d\n",
 					avc_prefix, errno);
 				return rc;
 			}
@@ -221,7 +232,8 @@
 			if (errno == 0 || errno == EINTR)
 				continue;
 			else {
-				avc_log("%s:  netlink recvfrom: error %d\n",
+				avc_log(SELINUX_ERROR,
+					"%s:  netlink recvfrom: error %d\n",
 					avc_prefix, errno);
 				break;
 			}
@@ -234,6 +246,7 @@
 
 	close(fd);
 	avc_netlink_trouble = 1;
-	avc_log("%s:  netlink thread: errors encountered, terminating\n",
+	avc_log(SELINUX_ERROR,
+		"%s:  netlink thread: errors encountered, terminating\n",
 		avc_prefix);
 }

diff --git a/libselinux/src/avc_internal.h b/libselinux/src/avc_internal.h
index cd50dc8..31bd7e1 100644
--- a/libselinux/src/avc_internal.h
+++ b/libselinux/src/avc_internal.h

@@ -91,11 +91,11 @@
 }
 
 /* this is a macro in order to use the variadic capability. */
-#define avc_log(format...) \
+#define avc_log(type, format...) \
   if (avc_func_log) \
     avc_func_log(format); \
   else \
-    selinux_log(SELINUX_ERROR, format);
+    selinux_log(type, format);
 
 static inline void avc_suppl_audit(void *ptr, security_class_t class,
 				   char *buf, size_t len)
commit	eee0f022e44ade05143eeee3748dd78fbd17966b	[log] [tgz]
author	Eamon Walsh <ewalsh@tycho.nsa.gov>	Fri Oct 31 10:20:33 2008 -0400
committer	Eamon Walsh <ewalsh@tycho.nsa.gov>	Fri Oct 31 10:20:33 2008 -0400
tree	8bc1e80e348aa94fe49954027acb66607cfd32ae
parent	3d431ae08f5349b906879f7a6abd0e2bbd182e92 [diff]