aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2009-02-12 15:01:10 -0500
committerJames Morris <jmorris@namei.org>2009-02-13 17:22:27 -0500
commit4ba0a8ad63e12a03ae01c039482967cc496b9174 (patch)
tree340aa55aa98cc42c33cff4297f0813f14f46b121
parent200ac532a4bc3134147ca06686c56a6420e66c46 (diff)
SELinux: better printk when file with invalid label found
Currently when an inode is read into the kernel with an invalid label string (can often happen with removable media) we output a string like: SELinux: inode_doinit_with_dentry: context_to_sid([SOME INVALID LABEL]) returned -22 dor dev=[blah] ino=[blah] Which is all but incomprehensible to all but a couple of us. Instead, on EINVAL only, I plan to output a much more user friendly string and I plan to ratelimit the printk since many of these could be generated very rapidly. Signed-off-by: Eric Paris <eparis@redhat.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--security/selinux/hooks.c17
1 files changed, 13 insertions, 4 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index e9011e5f5ffb..aebcfad5613f 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -1315,10 +1315,19 @@ static int inode_doinit_with_dentry(struct inode *inode, struct dentry *opt_dent
1315 sbsec->def_sid, 1315 sbsec->def_sid,
1316 GFP_NOFS); 1316 GFP_NOFS);
1317 if (rc) { 1317 if (rc) {
1318 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) " 1318 char *dev = inode->i_sb->s_id;
1319 "returned %d for dev=%s ino=%ld\n", 1319 unsigned long ino = inode->i_ino;
1320 __func__, context, -rc, 1320
1321 inode->i_sb->s_id, inode->i_ino); 1321 if (rc == -EINVAL) {
1322 if (printk_ratelimit())
1323 printk(KERN_NOTICE "SELinux: inode=%lu on dev=%s was found to have an invalid "
1324 "context=%s. This indicates you may need to relabel the inode or the "
1325 "filesystem in question.\n", ino, dev, context);
1326 } else {
1327 printk(KERN_WARNING "SELinux: %s: context_to_sid(%s) "
1328 "returned %d for dev=%s ino=%ld\n",
1329 __func__, context, -rc, dev, ino);
1330 }
1322 kfree(context); 1331 kfree(context);
1323 /* Leave with the unlabeled SID */ 1332 /* Leave with the unlabeled SID */
1324 rc = 0; 1333 rc = 0;