diff options
author | Gary Tierney <gary.tierney@gmx.com> | 2017-01-09 10:07:31 -0500 |
---|---|---|
committer | Paul Moore <paul@paul-moore.com> | 2017-01-09 10:07:31 -0500 |
commit | 4262fb51c9f53e0c623663216e6a5d1872a45824 (patch) | |
tree | d0f5bd65f6997a134804685bfe6c26fbf1dd513b /security | |
parent | b21507e272627c434e8dd74e8d51fd8245281b59 (diff) |
selinux: log errors when loading new policy
Adds error logging to the code paths which can fail when loading a new
policy in sel_write_load(). If the policy fails to be loaded from
userspace then a warning message is printed, whereas if a failure occurs
after loading policy from userspace an error message will be printed
with details on where policy loading failed (recreating one of /classes/,
/policy_capabilities/, /booleans/ in the SELinux fs).
Also, if sel_make_bools() fails to obtain an SID for an entry in
/booleans/* an error will be printed indicating the path of the
boolean.
Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
Diffstat (limited to 'security')
-rw-r--r-- | security/selinux/selinuxfs.c | 21 |
1 files changed, 16 insertions, 5 deletions
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c index 55345f84f17d..7672b61d6673 100644 --- a/security/selinux/selinuxfs.c +++ b/security/selinux/selinuxfs.c @@ -508,20 +508,28 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf, goto out; length = security_load_policy(data, count); - if (length) + if (length) { + pr_warn_ratelimited("SELinux: failed to load policy\n"); goto out; + } length = sel_make_bools(); - if (length) + if (length) { + pr_err("SELinux: failed to load policy booleans\n"); goto out1; + } length = sel_make_classes(); - if (length) + if (length) { + pr_err("SELinux: failed to load policy classes\n"); goto out1; + } length = sel_make_policycap(); - if (length) + if (length) { + pr_err("SELinux: failed to load policy capabilities\n"); goto out1; + } length = count; @@ -1302,9 +1310,12 @@ static int sel_make_bools(void) isec = (struct inode_security_struct *)inode->i_security; ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid); - if (ret) + if (ret) { + pr_err("SELinux: failed to lookup sid for %s\n", page); goto out; + } + isec->sid = sid; isec->initialized = LABEL_INITIALIZED; inode->i_fop = &sel_bool_ops; |