SELinux: Add warning messages on network denial due to error

Currently network traffic can be sliently dropped due to non-avc errors which can lead to much confusion when trying to debug the problem. This patch adds warning messages so that when these events occur there is a user visible notification. Signed-off-by: Paul Moore <paul.moore@hp.com> Signed-off-by: James Morris <jmorris@namei.org>
author: Paul Moore <paul.moore@hp.com> 2008-01-29 08:51:16 -0500
committer: James Morris <jmorris@namei.org> 2008-01-29 16:17:30 -0500
commit: 71f1cb05f773661b6fa98c7a635d7a395cd9c55d (patch)
tree: a540f89c5d1d081ea2c09105f264adce44d92fa9 /security/selinux/hooks.c
parent: effad8df44261031a882e1a895415f7186a5098e (diff)
1 files changed, 24 insertions, 5 deletions
diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c
index b3c064744d32..81bfcf114484 100644
--- a/security/selinux/hooks.c
+++ b/security/selinux/hooks.c
@@ -3443,6 +3443,11 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
                break;
        }
+        if (unlikely(ret))
+                printk(KERN_WARNING
+                       "SELinux: failure in selinux_parse_skb(),"
+                       " unable to parse packet\n");
        return ret;
 }
@@ -3463,6 +3468,7 @@ static int selinux_parse_skb(struct sk_buff *skb, struct avc_audit_data *ad,
 */
 static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
 {
+        int err;
        u32 xfrm_sid;
        u32 nlbl_sid;
        u32 nlbl_type;
@@ -3470,10 +3476,13 @@ static int selinux_skb_peerlbl_sid(struct sk_buff *skb, u16 family, u32 *sid)
        selinux_skb_xfrm_sid(skb, &xfrm_sid);
        selinux_netlbl_skbuff_getsid(skb, family, &nlbl_type, &nlbl_sid);
-        if (security_net_peersid_resolve(nlbl_sid, nlbl_type,
+        err = security_net_peersid_resolve(nlbl_sid, nlbl_type, xfrm_sid, sid);
-                                         xfrm_sid,
+        if (unlikely(err)) {
-                                         sid) != 0)
+                printk(KERN_WARNING
+                       "SELinux: failure in selinux_skb_peerlbl_sid(),"
+                       " unable to determine packet's peer label\n");
                return -EACCES;
+        }
        return 0;
 }
@@ -3925,8 +3934,13 @@ static int selinux_sock_rcv_skb_iptables_compat(struct sock *sk,
        err = security_port_sid(sk->sk_family, sk->sk_type,
                                sk->sk_protocol, ntohs(ad->u.net.sport),
                                &port_sid);
-        if (err)
+        if (unlikely(err)) {
+                printk(KERN_WARNING
+                       "SELinux: failure in"
+                       " selinux_sock_rcv_skb_iptables_compat(),"
+                       " network port label not found\n");
                return err;
+        }
        return avc_has_perm(sk_sid, port_sid, sk_class, recv_perm, ad);
 }
@@ -4343,8 +4357,13 @@ static int selinux_ip_postroute_iptables_compat(struct sock *sk,
        err = security_port_sid(sk->sk_family, sk->sk_type,
                                sk->sk_protocol, ntohs(ad->u.net.dport),
                                &port_sid);
-        if (err)
+        if (unlikely(err)) {
+                printk(KERN_WARNING
+                       "SELinux: failure in"
+                       " selinux_ip_postroute_iptables_compat(),"
+                       " network port label not found\n");
                return err;
+        }
        return avc_has_perm(sk_sid, port_sid, sk_class, send_perm, ad);
 }
author	Paul Moore <paul.moore@hp.com>	2008-01-29 08:51:16 -0500
committer	James Morris <jmorris@namei.org>	2008-01-29 16:17:30 -0500
commit	71f1cb05f773661b6fa98c7a635d7a395cd9c55d (patch)
tree	a540f89c5d1d081ea2c09105f264adce44d92fa9 /security/selinux/hooks.c
parent	effad8df44261031a882e1a895415f7186a5098e (diff)