diff options
| -rw-r--r-- | security/selinux/selinuxfs.c | 5 | ||||
| -rw-r--r-- | security/selinux/ss/services.c | 7 |
2 files changed, 7 insertions, 5 deletions
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 07a5db69571c..69c9dccc8cf0 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c | |||
| @@ -356,11 +356,6 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf, | |||
| 356 | length = count; | 356 | length = count; |
| 357 | 357 | ||
| 358 | out1: | 358 | out1: |
| 359 | |||
| 360 | printk(KERN_INFO "SELinux: policy loaded with handle_unknown=%s\n", | ||
| 361 | (security_get_reject_unknown() ? "reject" : | ||
| 362 | (security_get_allow_unknown() ? "allow" : "deny"))); | ||
| 363 | |||
| 364 | audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD, | 359 | audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD, |
| 365 | "policy loaded auid=%u ses=%u", | 360 | "policy loaded auid=%u ses=%u", |
| 366 | audit_get_loginuid(current), | 361 | audit_get_loginuid(current), |
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 04c0b70c8012..b52f923ce680 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c | |||
| @@ -1171,6 +1171,7 @@ static int validate_classes(struct policydb *p) | |||
| 1171 | const struct selinux_class_perm *kdefs = &selinux_class_perm; | 1171 | const struct selinux_class_perm *kdefs = &selinux_class_perm; |
| 1172 | const char *def_class, *def_perm, *pol_class; | 1172 | const char *def_class, *def_perm, *pol_class; |
| 1173 | struct symtab *perms; | 1173 | struct symtab *perms; |
| 1174 | bool print_unknown_handle = 0; | ||
| 1174 | 1175 | ||
| 1175 | if (p->allow_unknown) { | 1176 | if (p->allow_unknown) { |
| 1176 | u32 num_classes = kdefs->cts_len; | 1177 | u32 num_classes = kdefs->cts_len; |
| @@ -1191,6 +1192,7 @@ static int validate_classes(struct policydb *p) | |||
| 1191 | return -EINVAL; | 1192 | return -EINVAL; |
| 1192 | if (p->allow_unknown) | 1193 | if (p->allow_unknown) |
| 1193 | p->undefined_perms[i-1] = ~0U; | 1194 | p->undefined_perms[i-1] = ~0U; |
| 1195 | print_unknown_handle = 1; | ||
| 1194 | continue; | 1196 | continue; |
| 1195 | } | 1197 | } |
| 1196 | pol_class = p->p_class_val_to_name[i-1]; | 1198 | pol_class = p->p_class_val_to_name[i-1]; |
| @@ -1220,6 +1222,7 @@ static int validate_classes(struct policydb *p) | |||
| 1220 | return -EINVAL; | 1222 | return -EINVAL; |
| 1221 | if (p->allow_unknown) | 1223 | if (p->allow_unknown) |
| 1222 | p->undefined_perms[class_val-1] |= perm_val; | 1224 | p->undefined_perms[class_val-1] |= perm_val; |
| 1225 | print_unknown_handle = 1; | ||
| 1223 | continue; | 1226 | continue; |
| 1224 | } | 1227 | } |
| 1225 | perdatum = hashtab_search(perms->table, def_perm); | 1228 | perdatum = hashtab_search(perms->table, def_perm); |
| @@ -1267,6 +1270,7 @@ static int validate_classes(struct policydb *p) | |||
| 1267 | return -EINVAL; | 1270 | return -EINVAL; |
| 1268 | if (p->allow_unknown) | 1271 | if (p->allow_unknown) |
| 1269 | p->undefined_perms[class_val-1] |= (1 << j); | 1272 | p->undefined_perms[class_val-1] |= (1 << j); |
| 1273 | print_unknown_handle = 1; | ||
| 1270 | continue; | 1274 | continue; |
| 1271 | } | 1275 | } |
| 1272 | perdatum = hashtab_search(perms->table, def_perm); | 1276 | perdatum = hashtab_search(perms->table, def_perm); |
| @@ -1284,6 +1288,9 @@ static int validate_classes(struct policydb *p) | |||
| 1284 | } | 1288 | } |
| 1285 | } | 1289 | } |
| 1286 | } | 1290 | } |
| 1291 | if (print_unknown_handle) | ||
| 1292 | printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n", | ||
| 1293 | (security_get_allow_unknown() ? "allowed" : "denied")); | ||
| 1287 | return 0; | 1294 | return 0; |
| 1288 | } | 1295 | } |
| 1289 | 1296 | ||