[PATCH 16/20] SELinux: more user friendly unknown handling printk

From: James Morris
Date: Mon Jul 07 2008 - 12:54:14 EST

Next message: James Morris: "[PATCH 14/20] SELinux: drop load_mutex in security_load_policy"
Previous message: James Morris: "[PATCH 11/20] SELinux: open code load_mutex"
In reply to: James Morris: "[PATCH 11/20] SELinux: open code load_mutex"
Next in thread: James Morris: "[PATCH 14/20] SELinux: drop load_mutex in security_load_policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Eric Paris <eparis@xxxxxxxxxx>

I've gotten complaints and reports about people not understanding the
meaning of the current unknown class/perm handling the kernel emits on
every policy load. Hopefully this will make make it clear to everyone
the meaning of the message and won't waste a printk the user won't care
about anyway on systems where the kernel and the policy agree on
everything.

Signed-off-by: Eric Paris <eparis@xxxxxxxxxx>
Signed-off-by: James Morris <jmorris@xxxxxxxxx>
---
security/selinux/selinuxfs.c | 5 -----
security/selinux/ss/services.c | 7 +++++++
2 files changed, 7 insertions(+), 5 deletions(-)

diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 07a5db6..69c9dcc 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -356,11 +356,6 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf,
length = count;

out1:
-
- printk(KERN_INFO "SELinux: policy loaded with handle_unknown=%s\n",
- (security_get_reject_unknown() ? "reject" :
- (security_get_allow_unknown() ? "allow" : "deny")));
-
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
"policy loaded auid=%u ses=%u",
audit_get_loginuid(current),
diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c
index 04c0b70..b52f923 100644
--- a/security/selinux/ss/services.c
+++ b/security/selinux/ss/services.c
@@ -1171,6 +1171,7 @@ static int validate_classes(struct policydb *p)
const struct selinux_class_perm *kdefs = &selinux_class_perm;
const char *def_class, *def_perm, *pol_class;
struct symtab *perms;
+ bool print_unknown_handle = 0;

if (p->allow_unknown) {
u32 num_classes = kdefs->cts_len;
@@ -1191,6 +1192,7 @@ static int validate_classes(struct policydb *p)
return -EINVAL;
if (p->allow_unknown)
p->undefined_perms[i-1] = ~0U;
+ print_unknown_handle = 1;
continue;
}
pol_class = p->p_class_val_to_name[i-1];
@@ -1220,6 +1222,7 @@ static int validate_classes(struct policydb *p)
return -EINVAL;
if (p->allow_unknown)
p->undefined_perms[class_val-1] |= perm_val;
+ print_unknown_handle = 1;
continue;
}
perdatum = hashtab_search(perms->table, def_perm);
@@ -1267,6 +1270,7 @@ static int validate_classes(struct policydb *p)
return -EINVAL;
if (p->allow_unknown)
p->undefined_perms[class_val-1] |= (1 << j);
+ print_unknown_handle = 1;
continue;
}
perdatum = hashtab_search(perms->table, def_perm);
@@ -1284,6 +1288,9 @@ static int validate_classes(struct policydb *p)
}
}
}
+ if (print_unknown_handle)
+ printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
+ (security_get_allow_unknown() ? "allowed" : "denied"));
return 0;
}

--
1.5.5.1

--
To unsubscribe from this list: send the line "unsubscribe linux-kernel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
Please read the FAQ at http://www.tux.org/lkml/

Next message: James Morris: "[PATCH 14/20] SELinux: drop load_mutex in security_load_policy"
Previous message: James Morris: "[PATCH 11/20] SELinux: open code load_mutex"
In reply to: James Morris: "[PATCH 11/20] SELinux: open code load_mutex"
Next in thread: James Morris: "[PATCH 14/20] SELinux: drop load_mutex in security_load_policy"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]