Re: [patch] libselinux: provide more error reporting on load policy failures

Joshua Brindle <method@xxxxxxxxxxxxxxx> · Thu, 07 Feb 2008 15:16:51 -0500

Stephen Smalley wrote:
Provide more error reporting on load policy failures.  John Reiser has
previously encountered failures where it would have helped to see the
policy file, and David Quigley recently noted that no output is provided
by init in the case where policy cannot be loaded and the system is in
permissive mode.

Signed-off-by:  Stephen Smalley <sds@xxxxxxxxxxxxx>

  

Looks good to me. Do you think there is any value to add extra 
information as well as error/warnings? One example would be which file 
was ultimately loaded and what version it was downgraded to (if it was).

Acked-by: Joshua Brindle <method@xxxxxxxxxxxxxxx>

---

 libselinux/src/load_policy.c |   31 ++++++++++++++++++++++++++-----
 1 file changed, 26 insertions(+), 5 deletions(-)

Index: trunk/libselinux/src/load_policy.c
===================================================================

--- trunk/libselinux/src/load_policy.c	(revision 2792)
+++ trunk/libselinux/src/load_policy.c	(working copy)
@@ -46,7 +46,7 @@
 int selinux_mkload_policy(int preservebools)
 {	
 	int kernvers = security_policyvers();
-	int vers = kernvers, minvers = DEFAULT_POLICY_VERSION;
+	int maxvers = kernvers, minvers = DEFAULT_POLICY_VERSION, vers;
 	int setlocaldefs = load_setlocaldefs;
 	char path[PATH_MAX], **names;
 	struct stat sb;
@@ -128,7 +128,7 @@
 #endif
 
 	if (usesepol) {
-		vers = vers_max();
+		maxvers = vers_max();
 		minvers = vers_min();
 	}
 
@@ -157,6 +157,7 @@
 	if (preservebools && uname(&uts) == 0 && strverscmp(uts.release, "2.6.22") >= 0)
 		preservebools = 0;
 
+	vers = maxvers;
       search:
 	snprintf(path, sizeof(path), "%s.%d",
 		 selinux_binary_policy_path(), vers);
@@ -168,11 +169,19 @@
 			 selinux_binary_policy_path(), vers);
 		fd = open(path, O_RDONLY);
 	}
-	if (fd < 0)
+	if (fd < 0) {
+		fprintf(stderr,
+			"SELinux:  Could not open policy file <= %s.%d:  %s\n",
+			selinux_binary_policy_path(), maxvers, strerror(errno));
 		goto dlclose;
+	}
 
-	if (fstat(fd, &sb) < 0)
+	if (fstat(fd, &sb) < 0) {
+		fprintf(stderr,
+			"SELinux:  Could not stat policy file %s:  %s\n",
+			path, strerror(errno));
 		goto close;
+	}
 
 	prot = PROT_READ;
 	if (setlocaldefs || preservebools)
@@ -180,8 +189,12 @@
 
 	size = sb.st_size;
 	data = map = mmap(NULL, size, prot, MAP_PRIVATE, fd, 0);
-	if (map == MAP_FAILED)
+	if (map == MAP_FAILED) {
+		fprintf(stderr,
+			"SELinux:  Could not map policy file %s:  %s\n",
+			path, strerror(errno));
 		goto close;
+	}
 
 	if (vers > kernvers && usesepol) {
 		/* Need to downgrade to kernel-supported version. */
@@ -200,6 +213,9 @@
 		if (policydb_set_vers(policydb, kernvers) ||
 		    policydb_to_image(NULL, policydb, &data, &size)) {
 			/* Downgrade failed, keep searching. */
+			fprintf(stderr,
+				"SELinux:  Could not downgrade policy file %s, searching for an older version.\n",
+				path);
 			policy_file_free(pf);
 			policydb_free(policydb);
 			munmap(map, sb.st_size);
@@ -254,6 +270,11 @@
 
 
 	rc = security_load_policy(data, size);
+	
+	if (rc)
+		fprintf(stderr,
+			"SELinux:  Could not load policy file %s:  %s\n",
+			path, strerror(errno));
 
       unmap:
 	if (data != map)


  



--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.




