aboutsummaryrefslogtreecommitdiffstats
path: root/security/selinux/hooks.c
diff options
context:
space:
mode:
authorPaul Moore <paul.moore@hp.com>2008-01-29 08:51:16 -0500
committerJames Morris <jmorris@namei.org>2008-01-29 16:17:30 -0500
commit71f1cb05f773661b6fa98c7a635d7a395cd9c55d (patch)
treea540f89c5d1d081ea2c09105f264adce44d92fa9 /security/selinux/hooks.c
parenteffad8df44261031a882e1a895415f7186a5098e (diff)
SELinux: Add warning messages on network denial due to error
Currently network traffic can be sliently dropped due to non-avc errors which can lead to much confusion when trying to debug the problem. This patch adds warning messages so that when these events occur there is a user visible notification. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
Diffstat (limited to 'security/selinux/hooks.c')
-rw-r--r--security/selinux/hooks.c29
1 files changed, 24 insertions, 5 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b3c064744d32..81bfcf114484 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3443,6 +3443,11 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3443 break; 3443 break;
3444 } 3444 }
3445 3445
3446 if (unlikely(ret))
3447 printk(KERN_WARNING
3448 "SELinux: failure in selinux_parse_skb(),"
3449 " unable to parse packet\n");
3450
3446 return ret; 3451 return ret;
3447} 3452}
3448 3453
@@ -3463,6 +3468,7 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
3463 */ 3468 */
3464static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid) 3469static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3465{ 3470{
3471 int err;
3466 u32 xfrm_sid; 3472 u32 xfrm_sid;
3467 u32 nlbl_sid; 3473 u32 nlbl_sid;
3468 u32 nlbl_type; 3474 u32 nlbl_type;
@@ -3470,10 +3476,13 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
3470 selinux_skb_xfrm_sid(skb, &xfrm_sid); 3476 selinux_skb_xfrm_sid(skb, &xfrm_sid);
3471 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid); 3477 selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
3472 3478
3473 if (security_net_peersid_resolve(nlbl_sid, nlbl_type, 3479 err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
3474 xfrm_sid, 3480 if (unlikely(err)) {
3475 sid) != 0) 3481 printk(KERN_WARNING
3482 "SELinux: failure in selinux_skb_peerlbl_sid(),"
3483 " unable to determine packet's peer label\n");
3476 return -EACCES; 3484 return -EACCES;
3485 }
3477 3486
3478 return 0; 3487 return 0;
3479} 3488}
@@ -3925,8 +3934,13 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
3925 err = security_port_sid(sk->sk_family, sk->sk_type, 3934 err = security_port_sid(sk->sk_family, sk->sk_type,
3926 sk->sk_protocol, ntohs(ad->u.net.sport), 3935 sk->sk_protocol, ntohs(ad->u.net.sport),
3927 &port_sid); 3936 &port_sid);
3928 if (err) 3937 if (unlikely(err)) {
3938 printk(KERN_WARNING
3939 "SELinux: failure in"
3940 " selinux_sock_rcv_skb_iptables_compat(),"
3941 " network port label not found\n");
3929 return err; 3942 return err;
3943 }
3930 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad); 3944 return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
3931} 3945}
3932 3946
@@ -4343,8 +4357,13 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk,
4343 err = security_port_sid(sk->sk_family, sk->sk_type, 4357 err = security_port_sid(sk->sk_family, sk->sk_type,
4344 sk->sk_protocol, ntohs(ad->u.net.dport), 4358 sk->sk_protocol, ntohs(ad->u.net.dport),
4345 &port_sid); 4359 &port_sid);
4346 if (err) 4360 if (unlikely(err)) {
4361 printk(KERN_WARNING
4362 "SELinux: failure in"
4363 " selinux_ip_postroute_iptables_compat(),"
4364 " network port label not found\n");
4347 return err; 4365 return err;
4366 }
4348 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad); 4367 return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
4349} 4368}
4350 4369