3 files changed, 27 insertions, 11 deletions

diff --git a/security/selinux/include/security.h b/security/selinux/include/security.h
index f979c35e037e..c4224bbf9f4e 100644
--- a/security/selinux/include/security.h
+++ b/security/selinux/include/security.h
@@ -76,6 +76,8 @@ enum {
 };
 #define POLICYDB_CAPABILITY_MAX (__POLICYDB_CAPABILITY_MAX - 1)
 
+extern char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX];
+
 extern int selinux_policycap_netpeer;
 extern int selinux_policycap_openperm;
 extern int selinux_policycap_extsockclass;
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 50062e70140d..82adb78a58f7 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -41,15 +41,6 @@
 #include "objsec.h"
 #include "conditional.h"
 
-/* Policy capability filenames */
-static char *policycap_names[] = {
-        "network_peer_controls",
-        "open_perms",
-        "extended_socket_class",
-        "always_check_network",
-        "cgroup_seclabel"
-};
-
 unsigned int selinux_checkreqprot = CONFIG_SECURITY_SELINUX_CHECKREQPROT_VALUE;
 
 static int __init checkreqprot_setup(char *str)
@@ -1750,9 +1741,9 @@ static int sel_make_policycap(void)
         sel_remove_entries(policycap_dir);
 
         for (iter = 0; iter <= POLICYDB_CAPABILITY_MAX; iter++) {
-                if (iter < ARRAY_SIZE(policycap_names))
+                if (iter < ARRAY_SIZE(selinux_policycap_names))
                         dentry = d_alloc_name(policycap_dir,
-                                              policycap_names[iter]);
+                                              selinux_policycap_names[iter]);
                 else
                         dentry = d_alloc_name(policycap_dir, "unknown");
 
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 60d9b0252321..2dccba4851f8 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -70,6 +70,15 @@
 #include "ebitmap.h"
 #include "audit.h"
 
+/* Policy capability names */
+char *selinux_policycap_names[__POLICYDB_CAPABILITY_MAX] = {
+        "network_peer_controls",
+        "open_perms",
+        "extended_socket_class",
+        "always_check_network",
+        "cgroup_seclabel"
+};
+
 int selinux_policycap_netpeer;
 int selinux_policycap_openperm;
 int selinux_policycap_extsockclass;
@@ -1986,6 +1995,9 @@ bad:
 
 static void security_load_policycaps(void)
 {
+        unsigned int i;
+        struct ebitmap_node *node;
+
         selinux_policycap_netpeer = ebitmap_get_bit(&policydb.policycaps,
                                                   POLICYDB_CAPABILITY_NETPEER);
         selinux_policycap_openperm = ebitmap_get_bit(&policydb.policycaps,
@@ -1997,6 +2009,17 @@ static void security_load_policycaps(void)
         selinux_policycap_cgroupseclabel =
                 ebitmap_get_bit(&policydb.policycaps,
                                 POLICYDB_CAPABILITY_CGROUPSECLABEL);
+
+        for (i = 0; i < ARRAY_SIZE(selinux_policycap_names); i++)
+                pr_info("SELinux:  policy capability %s=%d\n",
+                        selinux_policycap_names[i],
+                        ebitmap_get_bit(&policydb.policycaps, i));
+
+        ebitmap_for_each_positive_bit(&policydb.policycaps, node, i) {
+                if (i >= ARRAY_SIZE(selinux_policycap_names))
+                        pr_info("SELinux:  unknown policy capability %u\n",
+                                i);
+        }
 }
 
 static int security_preserve_bools(struct policydb *p);