This patch adds some output to load_policy to say which policy file it tries to load.

Daniel J Walsh <dwalsh@xxxxxxxxxx> · Mon, 13 Dec 2010 13:39:03 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Currently load_policy will just fail without a decent error message.

Note:

The patch has to check if load_policy failed on a disabled machine, in
order to not report an error.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.11 (GNU/Linux)
Comment: Using GnuPG with Fedora - http://enigmail.mozdev.org/

iEYEARECAAYFAk0GaEYACgkQrlYvE4MpobMxrwCg6JMdPm28IEuL2Eco++OCHThw
sYAAn2BTXe1BYCjYdzDAjnA08t0dKquQ
=N1Uu
-----END PGP SIGNATURE-----

diff --git a/policycoreutils/load_policy/load_policy.c b/policycoreutils/load_policy/load_policy.c
index 47d9b0f..566565f 100644
--- a/policycoreutils/load_policy/load_policy.c
+++ b/policycoreutils/load_policy/load_policy.c
@@ -1,3 +1,4 @@
+#define _GNU_SOURCE
 #include <unistd.h>
 #include <stdlib.h>
 #include <stdio.h>
@@ -23,6 +24,14 @@ void usage(char *progname)
 	exit(1);
 }
 
+char *policy_path(void) {
+	char *path=NULL;
+	if (asprintf(&path, "%s.%d", selinux_binary_policy_path(), security_policyvers()) < 0) {
+		return NULL;
+	}
+	return path;
+}
+
 int main(int argc, char **argv)
 {
 	int ret, opt, quiet = 0, nargs, init=0, enforce=0;
@@ -64,6 +73,7 @@ int main(int argc, char **argv)
 			"%s:  Warning!  Boolean file argument (%s) is no longer supported, installed booleans file is always used.  Continuing...\n",
 			argv[0], argv[optind++]);
 	}
+	errno = 0;
 	if (init) {
 		if (is_selinux_enabled() == 1) {
 			/* SELinux is already enabled, we should not do an initial load again */
@@ -76,9 +86,11 @@ int main(int argc, char **argv)
 		if (ret != 0 ) {
 			if (enforce > 0) {
 				/* SELinux in enforcing mode but load_policy failed */
+				char *path=policy_path();
 				fprintf(stderr,
-						_("%s:  Can't load policy and enforcing mode requested:  %s\n"),
-						argv[0], strerror(errno));
+						_("%s:  Can't load policy file %s and enforcing mode requested: %s\n"),
+					argv[0], path, strerror(errno));
+				free(path);
 				exit(3);
 			}
 		}
@@ -86,9 +98,16 @@ int main(int argc, char **argv)
 	else {
 		ret = selinux_mkload_policy(1);
 	}
-	if (ret < 0) {
-		fprintf(stderr, _("%s:  Can't load policy:  %s\n"),
-			argv[0], strerror(errno));
+
+	/* selinux_init_load_policy returns -1 if it did not load_policy
+         * On SELinux disabled system it will always return -1
+         * So check errno to see if anything went wrong
+         */
+	if (ret < 0 && errno != 0) {
+		char *path=policy_path();
+		fprintf(stderr, _("%s:  Can't load policy file %s:  %s\n"),
+			argv[0], path, strerror(errno));
+		free(path);
 		exit(2);
 	}
 	exit(0);
Attachment:
load_policy.patch.sig

Description: PGP signature




