[PATCH] audit validatetrans denials

[Darrel Goeddel <dgoeddel@xxxxxxxxxxxxx>]

Attached is a patch that adds the auditing of denials caused by the 
validatetrans rules in the policy.  Look good?

Thanks,

--

Darrel

diff -ruNp linux-2.6-nsa-20050215/security/selinux/ss/services.c linux-2.6-20050216/security/selinux/ss/services.c
--- linux-2.6-nsa-20050215/security/selinux/ss/services.c	2005-01-27 16:48:31.000000000 -0600
+++ linux-2.6-20050216/security/selinux/ss/services.c	2005-02-16 09:36:40.612223188 -0600
@@ -38,6 +38,13 @@
 #include "services.h"
 #include "conditional.h"
 #include "mls.h"
+#ifdef CONFIG_AUDIT
+static const char *class_to_string[] = {
+#define S_(s) s,
+#include "class_to_string.h"
+#undef S_
+};
+#endif
 
 extern void selnl_notify_policyload(u32 seqno);
 unsigned int policydb_loaded_version;
@@ -417,6 +424,43 @@ int security_validate_transition(u32 old
 
 out:
 	POLICY_RDUNLOCK;
+
+	/* audit failures */
+	if (rc) {
+		int err;
+		char *context;
+		u32 context_len;
+		struct audit_buffer *ab;
+
+		ab = audit_log_start(current->audit_context);
+		if (!ab)
+			return rc; /* audit_panic has been called */
+		audit_log_format(ab, "avc:  denied validate_transition");
+ 		err = security_sid_to_context(oldsid, &context, &context_len);
+		if (err)
+			audit_log_format(ab, " oldsid=%d", oldsid);
+		else {
+			audit_log_format(ab, " oldcontext=%s", context);
+			kfree(context);
+		}
+		err = security_sid_to_context(newsid, &context, &context_len);
+		if (err)
+			audit_log_format(ab, " newsid=%d", newsid);
+		else {
+			audit_log_format(ab, " newcontext=%s", context);
+			kfree(context);
+		}
+		err = security_sid_to_context(tasksid, &context, &context_len);
+		if (err)
+			audit_log_format(ab, " tasksid=%d", tasksid);
+		else {
+			audit_log_format(ab, " taskcontext=%s", context);
+			kfree(context);
+		}
+		audit_log_format(ab, " tclass=%s", class_to_string[tclass]);
+		audit_log_end(ab);
+	}
+
 	return rc;
 }