diff options
author | Eric Paris <eparis@redhat.com> | 2008-06-09 22:51:37 +0200 |
---|---|---|
committer | James Morris <jmorris@namei.org> | 2008-07-14 07:02:00 +0200 |
commit | 6cbe27061a69ab89d25dbe42d1a4f33a8425fe88 (patch) | |
tree | 883e50c699dcd495ca9fc985e71622394ce21001 | |
parent | selinux: change handling of invalid classes (Was: Re: 2.6.26-rc5-mm1 selinux ... (diff) | |
download | linux-6cbe27061a69ab89d25dbe42d1a4f33a8425fe88.tar.xz linux-6cbe27061a69ab89d25dbe42d1a4f33a8425fe88.zip |
SELinux: more user friendly unknown handling printk
I've gotten complaints and reports about people not understanding the
meaning of the current unknown class/perm handling the kernel emits on
every policy load. Hopefully this will make make it clear to everyone
the meaning of the message and won't waste a printk the user won't care
about anyway on systems where the kernel and the policy agree on
everything.
Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
-rw-r--r-- | security/selinux/selinuxfs.c | 5 | ||||
-rw-r--r-- | security/selinux/ss/services.c | 7 |
2 files changed, 7 insertions, 5 deletions
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 07a5db69571c..69c9dccc8cf0 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -356,11 +356,6 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf, length = count; out1: - - printk(KERN_INFO "SELinux: policy loaded with handle_unknown=%s\n", - (security_get_reject_unknown() ? "reject" : - (security_get_allow_unknown() ? "allow" : "deny"))); - audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD, "policy loaded auid=%u ses=%u", audit_get_loginuid(current), diff --git a/security/selinux/ss/services.c b/security/selinux/ss/services.c index 04c0b70c8012..b52f923ce680 100644 --- a/security/selinux/ss/services.c +++ b/security/selinux/ss/services.c @@ -1171,6 +1171,7 @@ static int validate_classes(struct policydb *p) const struct selinux_class_perm *kdefs = &selinux_class_perm; const char *def_class, *def_perm, *pol_class; struct symtab *perms; + bool print_unknown_handle = 0; if (p->allow_unknown) { u32 num_classes = kdefs->cts_len; @@ -1191,6 +1192,7 @@ static int validate_classes(struct policydb *p) return -EINVAL; if (p->allow_unknown) p->undefined_perms[i-1] = ~0U; + print_unknown_handle = 1; continue; } pol_class = p->p_class_val_to_name[i-1]; @@ -1220,6 +1222,7 @@ static int validate_classes(struct policydb *p) return -EINVAL; if (p->allow_unknown) p->undefined_perms[class_val-1] |= perm_val; + print_unknown_handle = 1; continue; } perdatum = hashtab_search(perms->table, def_perm); @@ -1267,6 +1270,7 @@ static int validate_classes(struct policydb *p) return -EINVAL; if (p->allow_unknown) p->undefined_perms[class_val-1] |= (1 << j); + print_unknown_handle = 1; continue; } perdatum = hashtab_search(perms->table, def_perm); @@ -1284,6 +1288,9 @@ static int validate_classes(struct policydb *p) } } } + if (print_unknown_handle) + printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n", + (security_get_allow_unknown() ? "allowed" : "denied")); return 0; } |