Audit: add support to match lsm labels on user audit messages Add support for matching by security label (e.g. SELinux context) of the sender of an user-space audit record. The audit filter code already allows user space to configure such filters, but they were ignored during evaluation. This patch implements evaluation of these filters. For example, after application of this patch, PAM authentication logs caused by cron can be disabled using auditctl -a user,never -F subj_type=crond_t Signed-off-by: Miloslav Trmac <mitr@redhat.com> Acked-by: Eric Paris <eparis@redhat.com> Signed-off-by: Al Viro <viro@zeniv.linux.org.uk>

commit: d29be158a68254f58cf1fbf60ce1e89557a321aa [log] [tgz]
author: Miloslav Trmac <mitr@redhat.com> Thu Sep 16 18:14:11 2010 -0400
committer: Al Viro <viro@zeniv.linux.org.uk> Sat Oct 30 01:41:57 2010 -0400
tree: cd42581516bc189c2e1d83b15fad984c7001561c
parent: 2d10d8737ccdba752d60106abbc6ed4f37404923 [diff]
diff --git a/kernel/auditfilter.c b/kernel/auditfilter.c
index eb76754..add2819 100644
--- a/kernel/auditfilter.c
+++ b/kernel/auditfilter.c

@@ -1252,6 +1252,18 @@
 		case AUDIT_LOGINUID:
 			result = audit_comparator(cb->loginuid, f->op, f->val);
 			break;
+		case AUDIT_SUBJ_USER:
+		case AUDIT_SUBJ_ROLE:
+		case AUDIT_SUBJ_TYPE:
+		case AUDIT_SUBJ_SEN:
+		case AUDIT_SUBJ_CLR:
+			if (f->lsm_rule)
+				result = security_audit_rule_match(cb->sid,
+								   f->type,
+								   f->op,
+								   f->lsm_rule,
+								   NULL);
+			break;
 		}
 
 		if (!result)
commit	d29be158a68254f58cf1fbf60ce1e89557a321aa	[log] [tgz]
author	Miloslav Trmac <mitr@redhat.com>	Thu Sep 16 18:14:11 2010 -0400
committer	Al Viro <viro@zeniv.linux.org.uk>	Sat Oct 30 01:41:57 2010 -0400
tree	cd42581516bc189c2e1d83b15fad984c7001561c
parent	2d10d8737ccdba752d60106abbc6ed4f37404923 [diff]