selinux: log errors when loading new policy
authorGary Tierney <gary.tierney@gmx.com>
Mon, 9 Jan 2017 15:07:31 +0000 (10:07 -0500)
committerPaul Moore <paul@paul-moore.com>
Mon, 9 Jan 2017 15:07:31 +0000 (10:07 -0500)
Adds error logging to the code paths which can fail when loading a new
policy in sel_write_load().  If the policy fails to be loaded from
userspace then a warning message is printed, whereas if a failure occurs
after loading policy from userspace an error message will be printed
with details on where policy loading failed (recreating one of /classes/,
/policy_capabilities/, /booleans/ in the SELinux fs).

Also, if sel_make_bools() fails to obtain an SID for an entry in
/booleans/* an error will be printed indicating the path of the
boolean.

Signed-off-by: Gary Tierney <gary.tierney@gmx.com>
Acked-by: Stephen Smalley <sds@tycho.nsa.gov>
Signed-off-by: Paul Moore <paul@paul-moore.com>
security/selinux/selinuxfs.c

index 55345f84f17d31fbafae6cf048d1123e5bbfb22f..7672b61d6673d2e70cff7f90ac5e94b045f8cb21 100644 (file)
@@ -508,20 +508,28 @@ static ssize_t sel_write_load(struct file *file, const char __user *buf,
                goto out;
 
        length = security_load_policy(data, count);
-       if (length)
+       if (length) {
+               pr_warn_ratelimited("SELinux: failed to load policy\n");
                goto out;
+       }
 
        length = sel_make_bools();
-       if (length)
+       if (length) {
+               pr_err("SELinux: failed to load policy booleans\n");
                goto out1;
+       }
 
        length = sel_make_classes();
-       if (length)
+       if (length) {
+               pr_err("SELinux: failed to load policy classes\n");
                goto out1;
+       }
 
        length = sel_make_policycap();
-       if (length)
+       if (length) {
+               pr_err("SELinux: failed to load policy capabilities\n");
                goto out1;
+       }
 
        length = count;
 
@@ -1302,9 +1310,12 @@ static int sel_make_bools(void)
 
                isec = (struct inode_security_struct *)inode->i_security;
                ret = security_genfs_sid("selinuxfs", page, SECCLASS_FILE, &sid);
-               if (ret)
+               if (ret) {
+                       pr_err("SELinux: failed to lookup sid for %s\n", page);
                        goto out;
 
+               }
+
                isec->sid = sid;
                isec->initialized = LABEL_INITIALIZED;
                inode->i_fop = &sel_bool_ops;