[RFC PATCH 4/6] selinux: improve network lookup failure warnings

Christian Göttsche <cgoettsche@xxxxxxxxxxxxx> · Tue, 18 Mar 2025 09:33:31 +0100

From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>

Rate limit the warnings and include additional available information.

Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
 security/selinux/netif.c   | 8 ++++----
 security/selinux/netnode.c | 4 ++--
 security/selinux/netport.c | 4 ++--
 3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/security/selinux/netif.c b/security/selinux/netif.c
index 43a0d3594b72..38fdba1e64bf 100644
--- a/security/selinux/netif.c
+++ b/security/selinux/netif.c
@@ -141,8 +141,8 @@ static int sel_netif_sid_slow(struct net *ns, int ifindex, u32 *sid)
 
 	dev = dev_get_by_index(ns, ifindex);
 	if (unlikely(dev == NULL)) {
-		pr_warn("SELinux: failure in %s(), invalid network interface (%d)\n",
-			__func__, ifindex);
+		pr_warn_ratelimited("SELinux: failure in %s(), invalid network interface (%d)\n",
+				    __func__, ifindex);
 		return -ENOENT;
 	}
 
@@ -169,8 +169,8 @@ static int sel_netif_sid_slow(struct net *ns, int ifindex, u32 *sid)
 	spin_unlock_bh(&sel_netif_lock);
 	dev_put(dev);
 	if (unlikely(ret))
-		pr_warn("SELinux: failure in %s(), unable to determine network interface label (%d)\n",
-			__func__, ifindex);
+		pr_warn_ratelimited("SELinux: failure in %s(), unable to determine network interface label (%d):  %d\n",
+				    __func__, ifindex, ret);
 	return ret;
 }
 
diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
index 8bb456d80dd5..76cf531af110 100644
--- a/security/selinux/netnode.c
+++ b/security/selinux/netnode.c
@@ -228,8 +228,8 @@ static int sel_netnode_sid_slow(const void *addr, u16 family, u32 *sid)
 
 	spin_unlock_bh(&sel_netnode_lock);
 	if (unlikely(ret))
-		pr_warn("SELinux: failure in %s(), unable to determine network node label\n",
-			__func__);
+		pr_warn_ratelimited("SELinux: failure in %s(), unable to determine network node label (%d):  %d\n",
+				    __func__, family, ret);
 	return ret;
 }
 
diff --git a/security/selinux/netport.c b/security/selinux/netport.c
index 7d2207384d40..dadf14984fb4 100644
--- a/security/selinux/netport.c
+++ b/security/selinux/netport.c
@@ -162,8 +162,8 @@ static int sel_netport_sid_slow(u8 protocol, u16 pnum, u32 *sid)
 out:
 	spin_unlock_bh(&sel_netport_lock);
 	if (unlikely(ret))
-		pr_warn("SELinux: failure in %s(), unable to determine network port label\n",
-			__func__);
+		pr_warn_ratelimited("SELinux: failure in %s(), unable to determine network port label (%d:%d):  %d\n",
+				    __func__, protocol, pnum, ret);
 	return ret;
 }
 
-- 
2.49.0








