Since libselinux 3.2, via commit 05bdc03130d7 ("libselinux: use kernel
status page by default") [1], selinux_status_updated(3) will issue log
messages on enforcing changes and policy loads. dpkg is only interested
in whether the policy changed to then reload the SELinux label database.
Ignore non-relevant log messages and forward messages of type error,
warning and avc (which should be treated as error if not audited
according to selinux_set_callback(3)).
Example (the missing newline is a libselinux bug [2]):
Unpacking valgrind-dbg (1:3.19.0-1) ... │
uavc: op=setenforce lsm=selinux enforcing=0 res=1Preparing to unpack .../vnstati_2.9-1_amd64.deb ...
See also
https://github.com/rpm-software-management/rpm/pull/2201
[1]:
https://github.com/SELinuxProject/selinux/commit/05bdc03130d741e53e1fb45a958d0a2c184be503
[2]:
https://lore.kernel.org/selinux/20221011112733.194079-1-plautrba@redhat.com/
---
src/common/selinux.c | 31 ++++++++++++++++++++++++++++---
1 file changed, 28 insertions(+), 3 deletions(-)
diff --git a/src/common/selinux.c b/src/common/selinux.c
index 07f87a3dd..c123fb924 100644
--- a/src/common/selinux.c
+++ b/src/common/selinux.c
@@ -44,6 +44,33 @@
static struct selabel_handle *sehandle;
#endif
+#ifdef WITH_LIBSELINUX
+DPKG_ATTR_PRINTF(2)
+static int log_callback(int type, const char *fmt, ...)
+{
+ char *msg;
+ va_list ap;
+
+ switch (type) {
+ case SELINUX_ERROR:
+ case SELINUX_WARNING:
+ case SELINUX_AVC:
+ break;
+ default:
+ return 0;
+ }
+
+ va_start(ap, fmt);
+ m_vasprintf(&msg, fmt, ap);
+ va_end(ap);
+
+ warning("libselinux: %s", msg);
+ free(msg);
+
+ return 0;
+}
+#endif
+
void
dpkg_selabel_load(void)
{
@@ -65,9 +92,7 @@ dpkg_selabel_load(void)
if (rc < 0)
ohshit(_("cannot open security status notification channel"));
- /* XXX: We could use selinux_set_callback() to redirect the
- * errors from the other