Commit 6cbe2706 authored by Eric Paris's avatar Eric Paris Committed by James Morris

SELinux: more user friendly unknown handling printk

I've gotten complaints and reports about people not understanding the
meaning of the current unknown class/perm handling the kernel emits on
every policy load.  Hopefully this will make make it clear to everyone
the meaning of the message and won't waste a printk the user won't care
about anyway on systems where the kernel and the policy agree on
everything.
Signed-off-by: default avatarEric Paris <eparis@redhat.com>
Signed-off-by: default avatarJames Morris <jmorris@namei.org>
parent 22df4adb
...@@ -356,11 +356,6 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf, ...@@ -356,11 +356,6 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf,
length = count; length = count;
out1: out1:
printk(KERN_INFO "SELinux: policy loaded with handle_unknown=%s\n",
(security_get_reject_unknown() ? "reject" :
(security_get_allow_unknown() ? "allow" : "deny")));
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD, audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
"policy loaded auid=%u ses=%u", "policy loaded auid=%u ses=%u",
audit_get_loginuid(current), audit_get_loginuid(current),
......
...@@ -1171,6 +1171,7 @@ static int validate_classes(struct policydb *p) ...@@ -1171,6 +1171,7 @@ static int validate_classes(struct policydb *p)
const struct selinux_class_perm *kdefs = &selinux_class_perm; const struct selinux_class_perm *kdefs = &selinux_class_perm;
const char *def_class, *def_perm, *pol_class; const char *def_class, *def_perm, *pol_class;
struct symtab *perms; struct symtab *perms;
bool print_unknown_handle = 0;
if (p->allow_unknown) { if (p->allow_unknown) {
u32 num_classes = kdefs->cts_len; u32 num_classes = kdefs->cts_len;
...@@ -1191,6 +1192,7 @@ static int validate_classes(struct policydb *p) ...@@ -1191,6 +1192,7 @@ static int validate_classes(struct policydb *p)
return -EINVAL; return -EINVAL;
if (p->allow_unknown) if (p->allow_unknown)
p->undefined_perms[i-1] = ~0U; p->undefined_perms[i-1] = ~0U;
print_unknown_handle = 1;
continue; continue;
} }
pol_class = p->p_class_val_to_name[i-1]; pol_class = p->p_class_val_to_name[i-1];
...@@ -1220,6 +1222,7 @@ static int validate_classes(struct policydb *p) ...@@ -1220,6 +1222,7 @@ static int validate_classes(struct policydb *p)
return -EINVAL; return -EINVAL;
if (p->allow_unknown) if (p->allow_unknown)
p->undefined_perms[class_val-1] |= perm_val; p->undefined_perms[class_val-1] |= perm_val;
print_unknown_handle = 1;
continue; continue;
} }
perdatum = hashtab_search(perms->table, def_perm); perdatum = hashtab_search(perms->table, def_perm);
...@@ -1267,6 +1270,7 @@ static int validate_classes(struct policydb *p) ...@@ -1267,6 +1270,7 @@ static int validate_classes(struct policydb *p)
return -EINVAL; return -EINVAL;
if (p->allow_unknown) if (p->allow_unknown)
p->undefined_perms[class_val-1] |= (1 << j); p->undefined_perms[class_val-1] |= (1 << j);
print_unknown_handle = 1;
continue; continue;
} }
perdatum = hashtab_search(perms->table, def_perm); perdatum = hashtab_search(perms->table, def_perm);
...@@ -1284,6 +1288,9 @@ static int validate_classes(struct policydb *p) ...@@ -1284,6 +1288,9 @@ static int validate_classes(struct policydb *p)
} }
} }
} }
if (print_unknown_handle)
printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
(security_get_allow_unknown() ? "allowed" : "denied"));
return 0; return 0;
} }
......
Markdown is supported
0%
or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment