首页 发现 帮助
注册 登录
phyus
/
linux-vybrid_public
8
0
派生 0
文件 工单管理 0 合并请求 0 Wiki
浏览代码

SELinux: more user friendly unknown handling printk

I've gotten complaints and reports about people not understanding the
meaning of the current unknown class/perm handling the kernel emits on
every policy load.  Hopefully this will make make it clear to everyone
the meaning of the message and won't waste a printk the user won't care
about anyway on systems where the kernel and the policy agree on
everything.

Signed-off-by: Eric Paris <eparis@redhat.com>
Signed-off-by: James Morris <jmorris@namei.org>
Eric Paris 17 年之前
父节点
22df4adb04
当前提交
6cbe27061a
共有 2 个文件被更改,包括 7 次插入5 次删除
合并视图 显示文件统计
  1. 0 5
      security/selinux/selinuxfs.c
  2. 7 0
      security/selinux/ss/services.c

+ 0 - 5
security/selinux/selinuxfs.c
查看文件 

@@ -356,11 +356,6 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf,
 
 		length = count;
 
 		length = count;
 
 
 
 out1:
 
 out1:
 
-
 
-	printk(KERN_INFO "SELinux: policy loaded with handle_unknown=%s\n",
 
-	       (security_get_reject_unknown() ? "reject" :
 
-		(security_get_allow_unknown() ? "allow" : "deny")));
 
-
 
 	audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
 
 	audit_log(current->audit_context, GFP_KERNEL, AUDIT_MAC_POLICY_LOAD,
 
 		"policy loaded auid=%u ses=%u",
 
 		"policy loaded auid=%u ses=%u",
 
 		audit_get_loginuid(current),
 
 		audit_get_loginuid(current),

+ 7 - 0
security/selinux/ss/services.c
查看文件 

@@ -1171,6 +1171,7 @@ static int validate_classes(struct policydb *p)
 
 	const struct selinux_class_perm *kdefs = &selinux_class_perm;
 
 	const struct selinux_class_perm *kdefs = &selinux_class_perm;
 
 	const char *def_class, *def_perm, *pol_class;
 
 	const char *def_class, *def_perm, *pol_class;
 
 	struct symtab *perms;
 
 	struct symtab *perms;
 
+	bool print_unknown_handle = 0;
 
 
 
 	if (p->allow_unknown) {
 
 	if (p->allow_unknown) {
 
 		u32 num_classes = kdefs->cts_len;
 
 		u32 num_classes = kdefs->cts_len;
 
@@ -1191,6 +1192,7 @@ static int validate_classes(struct policydb *p)
 
 				return -EINVAL;
 
 				return -EINVAL;
 
 			if (p->allow_unknown)
 
 			if (p->allow_unknown)
 
 				p->undefined_perms[i-1] = ~0U;
 
 				p->undefined_perms[i-1] = ~0U;
 
+			print_unknown_handle = 1;
 
 			continue;
 
 			continue;
 
 		}
 
 		}
 
 		pol_class = p->p_class_val_to_name[i-1];
 
 		pol_class = p->p_class_val_to_name[i-1];
 
@@ -1220,6 +1222,7 @@ static int validate_classes(struct policydb *p)
 
 				return -EINVAL;
 
 				return -EINVAL;
 
 			if (p->allow_unknown)
 
 			if (p->allow_unknown)
 
 				p->undefined_perms[class_val-1] |= perm_val;
 
 				p->undefined_perms[class_val-1] |= perm_val;
 
+			print_unknown_handle = 1;
 
 			continue;
 
 			continue;
 
 		}
 
 		}
 
 		perdatum = hashtab_search(perms->table, def_perm);
 
 		perdatum = hashtab_search(perms->table, def_perm);
 
@@ -1267,6 +1270,7 @@ static int validate_classes(struct policydb *p)
 
 					return -EINVAL;
 
 					return -EINVAL;
 
 				if (p->allow_unknown)
 
 				if (p->allow_unknown)
 
 					p->undefined_perms[class_val-1] |= (1 << j);
 
 					p->undefined_perms[class_val-1] |= (1 << j);
 
+				print_unknown_handle = 1;
 
 				continue;
 
 				continue;
 
 			}
 
 			}
 
 			perdatum = hashtab_search(perms->table, def_perm);
 
 			perdatum = hashtab_search(perms->table, def_perm);
 
@@ -1284,6 +1288,9 @@ static int validate_classes(struct policydb *p)
 
 			}
 
 			}
 
 		}
 
 		}
 
 	}
 
 	}
 
+	if (print_unknown_handle)
 
+		printk(KERN_INFO "SELinux: the above unknown classes and permissions will be %s\n",
 
+			(security_get_allow_unknown() ? "allowed" : "denied"));
 
 	return 0;
 
 	return 0;
 
 }
 
 }