Skip to content

Commit

Permalink
SELinux: more user friendly unknown handling printk
Browse files Browse the repository at this point in the history 
I've gotten complaints and reports about people not understanding the
meaning of the current unknown class/perm handling the kernel emits on
every policy load.  Hopefully this will make make it clear to everyone
the meaning of the message and won't waste a printk the user won't care
about anyway on systems where the kernel and the policy agree on
everything.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
  • Loading branch information
Eric Paris authored and James Morris committed Jul 14, 2008
1 parent 22df4ad commit 6cbe270
Show file tree
Hide file tree
Showing 2 changed files with 7 additions and 5 deletions.
5 changes: 0 additions & 5 deletions security/selinux/selinuxfs.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -356,11 +356,6 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf,
length = count;

out1:

printk(KERN_INFO "SELinux: policy loaded with handle_unknown=%s\n",
(security_get_reject_unknown() ? "reject" :
(security_get_allow_unknown() ? "allow" : "deny")));

audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
"policy loaded auid=%u ses=%u",
audit_get_loginuid(current),
Expand Down
7 changes: 7 additions & 0 deletions security/selinux/ss/services.c
View file
Original file line number Diff line number Diff line change
Expand Up @@ -1171,6 +1171,7 @@ static int validate_classes(struct policydb *p)
const struct selinux_class_perm *kdefs = &selinux_class_perm;
const char *def_class, *def_perm, *pol_class;
struct symtab *perms;
bool print_unknown_handle = 0;

if (p->allow_unknown) {
u32 num_classes = kdefs->cts_len;
Expand All @@ -1191,6 +1192,7 @@ static int validate_classes(struct policydb *p)
return -EINVAL;
if (p->allow_unknown)
p->undefined_perms[i-1] = ~0U;
print_unknown_handle = 1;
continue;
}
pol_class = p->p_class_val_to_name[i-1];
Expand Down Expand Up @@ -1220,6 +1222,7 @@ static int validate_classes(struct policydb *p)
return -EINVAL;
if (p->allow_unknown)
p->undefined_perms[class_val-1] |= perm_val;
print_unknown_handle = 1;
continue;
}
perdatum = hashtab_search(perms->table, def_perm);
Expand Down Expand Up @@ -1267,6 +1270,7 @@ static int validate_classes(struct policydb *p)
return -EINVAL;
if (p->allow_unknown)
p->undefined_perms[class_val-1] |= (1 << j);
print_unknown_handle = 1;
continue;
}
perdatum = hashtab_search(perms->table, def_perm);
Expand All @@ -1284,6 +1288,9 @@ static int validate_classes(struct policydb *p)
}
}
}
if (print_unknown_handle)
printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
(security_get_allow_unknown() ? "allowed" : "denied"));
return 0;
}

Expand Down

0 comments on commit 6cbe270

Please sign in to comment.