diff options
author | Eric Paris <eparis@redhat.com> | 2009-02-12 15:01:10 -0500 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2009-02-13 17:22:27 -0500 |
commit | 4ba0a8ad63e12a03ae01c039482967cc496b9174 (patch) | |
tree | 340aa55aa98cc42c33cff4297f0813f14f46b121 | |
parent | 200ac532a4bc3134147ca06686c56a6420e66c46 (diff) |
SELinux: better printk when file with invalid label found
Currently when an inode is read into the kernel with an invalid label
string (can often happen with removable media) we output a string like:
SELinux: inode_doinit_with_dentry: context_to_sid([SOME INVALID LABEL])
returned -22 dor dev=[blah] ino=[blah]
Which is all but incomprehensible to all but a couple of us. Instead, on
EINVAL only, I plan to output a much more user friendly string and I plan to
ratelimit the printk since many of these could be generated very rapidly.
Signed-off-by: Eric Paris <eparis@redhat.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r-- | security/selinux/hooks.c | 17 |
1 files changed, 13 insertions, 4 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index e9011e5f5ffb..aebcfad5613f 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c | |||
@@ -1315,10 +1315,19 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent | |||
1315 | sbsec->def_sid, | 1315 | sbsec->def_sid, |
1316 | GFP_NOFS); | 1316 | GFP_NOFS); |
1317 | if (rc) { | 1317 | if (rc) { |
1318 | printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " | 1318 | char *dev = inode->i_sb->s_id; |
1319 | "returned %d for dev=%s ino=%ld\n", | 1319 | unsigned long ino = inode->i_ino; |
1320 | __func__, context, -rc, | 1320 | |
1321 | inode->i_sb->s_id, inode->i_ino); | 1321 | if (rc == -EINVAL) { |
1322 | if (printk_ratelimit()) | ||
1323 | printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid " | ||
1324 | "context=%s. This indicates you may need to relabel the inode or the " | ||
1325 | "filesystem in question.\n", ino, dev, context); | ||
1326 | } else { | ||
1327 | printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " | ||
1328 | "returned %d for dev=%s ino=%ld\n", | ||
1329 | __func__, context, -rc, dev, ino); | ||
1330 | } | ||
1322 | kfree(context); | 1331 | kfree(context); |
1323 | /* Leave with the unlabeled SID */ | 1332 | /* Leave with the unlabeled SID */ |
1324 | rc = 0; | 1333 | rc = 0; |