summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorGary Tierney <gary.tierney@gmx.com>2017-01-09 18:07:31 +0300
committerPaul Moore <paul@paul-moore.com>2017-01-09 18:07:31 +0300
commit4262fb51c9f53e0c623663216e6a5d1872a45824 (patch)
treed0f5bd65f6997a134804685bfe6c26fbf1dd513b
parentb21507e272627c434e8dd74e8d51fd8245281b59 (diff)
downloadlinux-4262fb51c9f53e0c623663216e6a5d1872a45824.tar.xz
selinux: log errors when loading new policy
Adds error logging to the code paths which can fail when loading a new policy in sel_write_load(). If the policy fails to be loaded from userspace then a warning message is printed, whereas if a failure occurs after loading policy from userspace an error message will be printed with details on where policy loading failed (recreating one of /classes/, /policy_capabilities/, /booleans/ in the SELinux fs). Also, if sel_make_bools() fails to obtain an SID for an entry in /booleans/* an error will be printed indicating the path of the boolean. Signed-off-by: Gary Tierney <gary.tierney@gmx.com> Acked-by: Stephen Smalley <sds@tycho.nsa.gov> Signed-off-by: Paul Moore <paul@paul-moore.com>
-rw-r--r--security/selinux/selinuxfs.c21
1 files changed, 16 insertions, 5 deletions
diff --git a/security/selinux/selinuxfs.c b/security/selinux/selinuxfs.c
index 55345f84f17d..7672b61d6673 100644
--- a/security/selinux/selinuxfs.c
+++ b/security/selinux/selinuxfs.c
@@ -508,20 +508,28 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf,
goto out;
length = security_load_policy(data, count);
- if (length)
+ if (length) {
+ pr_warn_ratelimited("SELinux: failed to load policy\n");
goto out;
+ }
length = sel_make_bools();
- if (length)
+ if (length) {
+ pr_err("SELinux: failed to load policy booleans\n");
goto out1;
+ }
length = sel_make_classes();
- if (length)
+ if (length) {
+ pr_err("SELinux: failed to load policy classes\n");
goto out1;
+ }
length = sel_make_policycap();
- if (length)
+ if (length) {
+ pr_err("SELinux: failed to load policy capabilities\n");
goto out1;
+ }
length = count;
@@ -1302,9 +1310,12 @@ static int sel_make_bools(void)
isec = (struct inode_security_struct *)inode->i_security;
ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid);
- if (ret)
+ if (ret) {
+ pr_err("SELinux: failed to lookup sid for %s\n", page);
goto out;
+ }
+
isec->sid = sid;
isec->initialized = LABEL_INITIALIZED;
inode->i_fop = &sel_bool_ops;