Re: [patch] libselinux: provide more error reporting on load policy failures

Stephen Smalley <sds@xxxxxxxxxxxxx> · Fri, 08 Feb 2008 11:29:07 -0500

On Fri, 2008-02-08 at 11:26 -0500, Stephen Smalley wrote:
> On Thu, 2008-02-07 at 17:12 -0500, Joshua Brindle wrote:
> > Understood. I only asked because of the setools thread where there are 
> > apparently 2 cases to cover, make it just work for most people and to be 
> > very specific for analysts. If an analyst (or Dan) can't easily get 
> > policy load information from a target machine (where it was loaded from, 
> > if it was downgraded) it may be more error prone to analyze the policy 
> > or troubleshoot an error
> > 
> > The handle_unknown thing was probably startling because it isn't very 
> > obvious what it means. Policy loaded from <path> [downgraded to version 
> > <ver>]. hopefully wouldn't raise alarms (though the downgraded part may).
> > 
> > It was just a thought...
> 
> Patch below, relative to the prior one.
> # /usr/sbin/load_policy 
> SELinux:  Loaded policy from /etc/selinux/targeted/policy/policy.22 (downgraded to version 21).
> # rm /etc/selinux/targeted/policy/policy.22
> # /usr/sbin/load_policy 
> SELinux:  Loaded policy from /etc/selinux/targeted/policy/policy.21.

Actually, this also shows up when you run semodule.  Not sure if that is
what we want.
# /usr/sbin/semodule -B
SELinux:  Loaded policy from /etc/selinux/targeted/policy/policy.22 (downgraded to version 21).

> 
> Signed-off-by:  Stephen Smalley <sds@xxxxxxxxxxxxx>
> 
> ---
> 
>  libselinux/src/load_policy.c |    5 +++++
>  1 file changed, 5 insertions(+)
> 
> Index: trunk/libselinux/src/load_policy.c
> ===================================================================
> --- trunk/libselinux/src/load_policy.c	(revision 2796)
> +++ trunk/libselinux/src/load_policy.c	(working copy)
> @@ -275,6 +275,11 @@
>  		fprintf(stderr,
>  			"SELinux:  Could not load policy file %s:  %s\n",
>  			path, strerror(errno));
> +	else if (vers > kernvers)
> +		printf("SELinux:  Loaded policy from %s (downgraded to version %d).\n",
> +		       path, kernvers);
> +	else
> +		printf("SELinux:  Loaded policy from %s.\n", path);
>  
>        unmap:
>  	if (data != map)
> 
-- 
Stephen Smalley
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.