aboutsummaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorEric Paris <eparis@redhat.com>2008-06-09 16:51:37 -0400
committerJames Morris <jmorris@namei.org>2008-07-14 01:02:00 -0400
commit6cbe27061a69ab89d25dbe42d1a4f33a8425fe88 (patch)
tree883e50c699dcd495ca9fc985e71622394ce21001
parent22df4adb049a5cbb340dd935f5bbfa1ab3947562 (diff)
SELinux: more user friendly unknown handling printk
I've gotten complaints and reports about people not understanding the meaning of the current unknown class/perm handling the kernel emits on every policy load. Hopefully this will make make it clear to everyone the meaning of the message and won't waste a printk the user won't care about anyway on systems where the kernel and the policy agree on everything. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r--security/selinux/selinuxfs.c5
-rw-r--r--security/selinux/ss/services.c7
2 files changed, 7 insertions, 5 deletions
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 07a5db69571c..69c9dccc8cf0 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -356,11 +356,6 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf,
356 length = count; 356 length = count;
357 357
358out1: 358out1:
359
360 printk(KERN_INFO "SELinux: policy loaded with handle_unknown=%s\n",
361 (security_get_reject_unknown() ? "reject" :
362 (security_get_allow_unknown() ? "allow" : "deny")));
363
364 audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD, 359 audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
365 "policy loaded auid=%u ses=%u", 360 "policy loaded auid=%u ses=%u",
366 audit_get_loginuid(current), 361 audit_get_loginuid(current),
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 04c0b70c8012..b52f923ce680 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1171,6 +1171,7 @@ static int validate_classes(struct policydb *p)
1171 const struct selinux_class_perm *kdefs = &selinux_class_perm; 1171 const struct selinux_class_perm *kdefs = &selinux_class_perm;
1172 const char *def_class, *def_perm, *pol_class; 1172 const char *def_class, *def_perm, *pol_class;
1173 struct symtab *perms; 1173 struct symtab *perms;
1174 bool print_unknown_handle = 0;
1174 1175
1175 if (p->allow_unknown) { 1176 if (p->allow_unknown) {
1176 u32 num_classes = kdefs->cts_len; 1177 u32 num_classes = kdefs->cts_len;
@@ -1191,6 +1192,7 @@ static int validate_classes(struct policydb *p)
1191 return -EINVAL; 1192 return -EINVAL;
1192 if (p->allow_unknown) 1193 if (p->allow_unknown)
1193 p->undefined_perms[i-1] = ~0U; 1194 p->undefined_perms[i-1] = ~0U;
1195 print_unknown_handle = 1;
1194 continue; 1196 continue;
1195 } 1197 }
1196 pol_class = p->p_class_val_to_name[i-1]; 1198 pol_class = p->p_class_val_to_name[i-1];
@@ -1220,6 +1222,7 @@ static int validate_classes(struct policydb *p)
1220 return -EINVAL; 1222 return -EINVAL;
1221 if (p->allow_unknown) 1223 if (p->allow_unknown)
1222 p->undefined_perms[class_val-1] |= perm_val; 1224 p->undefined_perms[class_val-1] |= perm_val;
1225 print_unknown_handle = 1;
1223 continue; 1226 continue;
1224 } 1227 }
1225 perdatum = hashtab_search(perms->table, def_perm); 1228 perdatum = hashtab_search(perms->table, def_perm);
@@ -1267,6 +1270,7 @@ static int validate_classes(struct policydb *p)
1267 return -EINVAL; 1270 return -EINVAL;
1268 if (p->allow_unknown) 1271 if (p->allow_unknown)
1269 p->undefined_perms[class_val-1] |= (1 << j); 1272 p->undefined_perms[class_val-1] |= (1 << j);
1273 print_unknown_handle = 1;
1270 continue; 1274 continue;
1271 } 1275 }
1272 perdatum = hashtab_search(perms->table, def_perm); 1276 perdatum = hashtab_search(perms->table, def_perm);
@@ -1284,6 +1288,9 @@ static int validate_classes(struct policydb *p)
1284 } 1288 }
1285 } 1289 }
1286 } 1290 }
1291 if (print_unknown_handle)
1292 printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
1293 (security_get_allow_unknown() ? "allowed" : "denied"));
1287 return 0; 1294 return 0;
1288} 1295}
1289 1296