dbus: keep track of enforce state

[dperpeet]

It would be nice to receive notification of the enforce state of a system changes.

@bachradsusi pointed out that we can track messages like

type=MAC_STATUS msg=audit(1463128316.149:2098): enforcing=0 old_enforcing=1 auid=4294967295 ses=4294967295

but that feels cumbersome.

[bachradsusi]

Some time ago I made
http://plautrba.fedorapeople.org/selinux_server_dispatch.tar

There are 2 files:

• /usr/local/sbin/selinux_server_dispatch.py - it sends org.selinux.mac_status DBUS signal when an MAC_STATUS event comes from audit
• /etc/audisp/plugins.d/selinux-server-dispatch.conf - audit dispather config files which ensures that audit event will be sent to stdin of selinux_server_dispatch.py. Note: you need to reload auditd after you deploy this files: systemctl reload auditd

This is a preview how we can send signals about SELinux changes. And it's more appropriate to be in SELinux userspace than in setroubleshoot.

[dperpeet]

You're right about the SELinux userspace. Thanks for that work!

Do you know off-hand how we could also detect Disabled state (and notify, of course)?

[dperpeet]

Also, if we introduce something new, it would be nice to follow the convention of using CamelCase, i.e. in this case I think it would be appropriate to call the object MacStatus.