forked from luck/tmp_suning_uos_patched
SELinux: more user friendly unknown handling printk
I've gotten complaints and reports about people not understanding the meaning of the current unknown class/perm handling the kernel emits on every policy load. Hopefully this will make make it clear to everyone the meaning of the message and won't waste a printk the user won't care about anyway on systems where the kernel and the policy agree on everything. Signed-off-by: Eric Paris <eparis@redhat.com> Signed-off-by: James Morris <jmorris@namei.org>
This commit is contained in:
parent
22df4adb04
commit
6cbe27061a
|
@ -356,11 +356,6 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf,
|
|||
length = count;
|
||||
|
||||
out1:
|
||||
|
||||
printk(KERN_INFO "SELinux: policy loaded with handle_unknown=%s\n",
|
||||
(security_get_reject_unknown() ? "reject" :
|
||||
(security_get_allow_unknown() ? "allow" : "deny")));
|
||||
|
||||
audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
|
||||
"policy loaded auid=%u ses=%u",
|
||||
audit_get_loginuid(current),
|
||||
|
|
|
@ -1171,6 +1171,7 @@ static int validate_classes(struct policydb *p)
|
|||
const struct selinux_class_perm *kdefs = &selinux_class_perm;
|
||||
const char *def_class, *def_perm, *pol_class;
|
||||
struct symtab *perms;
|
||||
bool print_unknown_handle = 0;
|
||||
|
||||
if (p->allow_unknown) {
|
||||
u32 num_classes = kdefs->cts_len;
|
||||
|
@ -1191,6 +1192,7 @@ static int validate_classes(struct policydb *p)
|
|||
return -EINVAL;
|
||||
if (p->allow_unknown)
|
||||
p->undefined_perms[i-1] = ~0U;
|
||||
print_unknown_handle = 1;
|
||||
continue;
|
||||
}
|
||||
pol_class = p->p_class_val_to_name[i-1];
|
||||
|
@ -1220,6 +1222,7 @@ static int validate_classes(struct policydb *p)
|
|||
return -EINVAL;
|
||||
if (p->allow_unknown)
|
||||
p->undefined_perms[class_val-1] |= perm_val;
|
||||
print_unknown_handle = 1;
|
||||
continue;
|
||||
}
|
||||
perdatum = hashtab_search(perms->table, def_perm);
|
||||
|
@ -1267,6 +1270,7 @@ static int validate_classes(struct policydb *p)
|
|||
return -EINVAL;
|
||||
if (p->allow_unknown)
|
||||
p->undefined_perms[class_val-1] |= (1 << j);
|
||||
print_unknown_handle = 1;
|
||||
continue;
|
||||
}
|
||||
perdatum = hashtab_search(perms->table, def_perm);
|
||||
|
@ -1284,6 +1288,9 @@ static int validate_classes(struct policydb *p)
|
|||
}
|
||||
}
|
||||
}
|
||||
if (print_unknown_handle)
|
||||
printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
|
||||
(security_get_allow_unknown() ? "allowed" : "denied"));
|
||||
return 0;
|
||||
}
|
||||
|
||||
|
|
Loading…
Reference in New Issue
Block a user