diff options
author | Eric Paris <eparis@redhat.com> | 2008-06-09 16:51:37 -0400 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2008-07-14 01:02:00 -0400 |
commit | 6cbe27061a69ab89d25dbe42d1a4f33a8425fe88 (patch) | |
tree | 883e50c699dcd495ca9fc985e71622394ce21001 | |
parent | 22df4adb049a5cbb340dd935f5bbfa1ab3947562 (diff) |
SELinux: more user friendly unknown handling printk
I've gotten complaints and reports about people not understanding the
meaning of the current unknown class/perm handling the kernel emits on
every policy load. Hopefully this will make make it clear to everyone
the meaning of the message and won't waste a printk the user won't care
about anyway on systems where the kernel and the policy agree on
everything.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r-- | security/selinux/selinuxfs.c | 5 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 7 |
2 files changed, 7 insertions, 5 deletions
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 07a5db69571c..69c9dccc8cf0 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
@@ -356,11 +356,6 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf, | |||
356 | length = count; | 356 | length = count; |
357 | 357 | ||
358 | out1: | 358 | out1: |
359 | |||
360 | printk(KERN_INFO "SELinux: policy loaded with handle_unknown=%s\n", | ||
361 | (security_get_reject_unknown() ? "reject" : | ||
362 | (security_get_allow_unknown() ? "allow" : "deny"))); | ||
363 | |||
364 | audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD, | 359 | audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD, |
365 | "policy loaded auid=%u ses=%u", | 360 | "policy loaded auid=%u ses=%u", |
366 | audit_get_loginuid(current), | 361 | audit_get_loginuid(current), |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 04c0b70c8012..b52f923ce680 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
@@ -1171,6 +1171,7 @@ static int validate_classes(struct policydb *p) | |||
1171 | const struct selinux_class_perm *kdefs = &selinux_class_perm; | 1171 | const struct selinux_class_perm *kdefs = &selinux_class_perm; |
1172 | const char *def_class, *def_perm, *pol_class; | 1172 | const char *def_class, *def_perm, *pol_class; |
1173 | struct symtab *perms; | 1173 | struct symtab *perms; |
1174 | bool print_unknown_handle = 0; | ||
1174 | 1175 | ||
1175 | if (p->allow_unknown) { | 1176 | if (p->allow_unknown) { |
1176 | u32 num_classes = kdefs->cts_len; | 1177 | u32 num_classes = kdefs->cts_len; |
@@ -1191,6 +1192,7 @@ static int validate_classes(struct policydb *p) | |||
1191 | return -EINVAL; | 1192 | return -EINVAL; |
1192 | if (p->allow_unknown) | 1193 | if (p->allow_unknown) |
1193 | p->undefined_perms[i-1] = ~0U; | 1194 | p->undefined_perms[i-1] = ~0U; |
1195 | print_unknown_handle = 1; | ||
1194 | continue; | 1196 | continue; |
1195 | } | 1197 | } |
1196 | pol_class = p->p_class_val_to_name[i-1]; | 1198 | pol_class = p->p_class_val_to_name[i-1]; |
@@ -1220,6 +1222,7 @@ static int validate_classes(struct policydb *p) | |||
1220 | return -EINVAL; | 1222 | return -EINVAL; |
1221 | if (p->allow_unknown) | 1223 | if (p->allow_unknown) |
1222 | p->undefined_perms[class_val-1] |= perm_val; | 1224 | p->undefined_perms[class_val-1] |= perm_val; |
1225 | print_unknown_handle = 1; | ||
1223 | continue; | 1226 | continue; |
1224 | } | 1227 | } |
1225 | perdatum = hashtab_search(perms->table, def_perm); | 1228 | perdatum = hashtab_search(perms->table, def_perm); |
@@ -1267,6 +1270,7 @@ static int validate_classes(struct policydb *p) | |||
1267 | return -EINVAL; | 1270 | return -EINVAL; |
1268 | if (p->allow_unknown) | 1271 | if (p->allow_unknown) |
1269 | p->undefined_perms[class_val-1] |= (1 << j); | 1272 | p->undefined_perms[class_val-1] |= (1 << j); |
1273 | print_unknown_handle = 1; | ||
1270 | continue; | 1274 | continue; |
1271 | } | 1275 | } |
1272 | perdatum = hashtab_search(perms->table, def_perm); | 1276 | perdatum = hashtab_search(perms->table, def_perm); |
@@ -1284,6 +1288,9 @@ static int validate_classes(struct policydb *p) | |||
1284 | } | 1288 | } |
1285 | } | 1289 | } |
1286 | } | 1290 | } |
1291 | if (print_unknown_handle) | ||
1292 | printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n", | ||
1293 | (security_get_allow_unknown() ? "allowed" : "denied")); | ||
1287 | return 0; | 1294 | return 0; |
1288 | } | 1295 | } |
1289 | 1296 | ||