* [PATCH] change printks from KERN_INFO to KERN_DEBUG @ 2006-12-19 21:15 Eric Paris 2006-12-19 21:34 ` Stephen Smalley 2006-12-19 21:45 ` James Morris 0 siblings, 2 replies; 9+ messages in thread From: Eric Paris @ 2006-12-19 21:15 UTC (permalink / raw) To: selinux; +Cc: sds, James Morris The following patch goes through SELinux code and demotes a number of printk from KERN_INFO to KERN_DEBUG. This still leaves a number of KERN_INFO inside security/selinux which are listed below. If anyone feels that any (all?) of those should be demoted as well just let me know and i'll post another patch. hooks.c: printk(KERN_INFO "%s: There is already a secondary security " hooks.c: printk(KERN_INFO "%s: Registering secondary module %s\n", hooks.c: printk(KERN_INFO "%s: trying to unregister a security module " hooks.c: printk(KERN_INFO "SELinux: Disabled at boot.\n"); hooks.c: printk(KERN_INFO "SELinux: Initializing.\n"); hooks.c: printk(KERN_INFO "SELinux: Starting in enforcing mode\n"); hooks.c: printk(KERN_INFO "SELinux: Starting in permissive mode\n"); hooks.c: printk(KERN_INFO "SELinux: Disabled at runtime.\n"); ss/avtab.c: printk(KERN_INFO "%s: %d entries and %d/%d buckets used, longest " <- wrapped in DEBUG_HASHES ss/policydb.c: printk(KERN_INFO "%s: %d entries and %d/%d buckets used, " <- wrapped in DEBUG_HASHES ss/policydb.c: printk(KERN_INFO "security: %d users, %d roles, %d types, %d bools", ss/policydb.c: printk(KERN_INFO "security: %d classes, %d rules\n", ss/services.c: printk(KERN_INFO <- missing class definitions in policy ss/services.c: printk(KERN_INFO <- missing permission definitions in policy ss/services.c: printk(KERN_INFO <- missing inherit definitions in policy ss/sidtab.c: printk(KERN_INFO "%s: %d entries and %d/%d buckets used, longest " <- inside #if 0 Did I take too much or too little? -Eric security/selinux/hooks.c | 14 +++++++------- 1 files changed, 7 insertions(+), 7 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 65fb5e8..e7cc553 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -654,11 +654,11 @@ static int superblock_doinit(struct super_block *sb, void *data) sbsec->initialized = 1; if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) { - printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n", + printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), unknown behavior\n", sb->s_id, sb->s_type->name); } else { - printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n", + printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n", sb->s_id, sb->s_type->name, labeling_behaviors[sbsec->behavior-1]); } @@ -4408,7 +4408,7 @@ static int selinux_register_security (const char *name, struct security_operatio static int selinux_unregister_security (const char *name, struct security_operations *ops) { if (ops != secondary_ops) { - printk (KERN_INFO "%s: trying to unregister a security module " + printk(KERN_INFO "%s: trying to unregister a security module " "that is not registered.\n", __FUNCTION__); return -EINVAL; } @@ -4864,10 +4864,10 @@ static __init int selinux_init(void) void selinux_complete_init(void) { - printk(KERN_INFO "SELinux: Completing initialization.\n"); + printk(KERN_DEBUG "SELinux: Completing initialization.\n"); /* Set up any superblocks initialized prior to the policy load. */ - printk(KERN_INFO "SELinux: Setting up existing superblocks.\n"); + printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); spin_lock(&sb_lock); spin_lock(&sb_security_lock); next_sb: @@ -4926,7 +4926,7 @@ static int __init selinux_nf_ip_init(void) if (!selinux_enabled) goto out; - printk(KERN_INFO "SELinux: Registering netfilter hooks\n"); + printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); err = nf_register_hook(&selinux_ipv4_op); if (err) @@ -4949,7 +4949,7 @@ __initcall(selinux_nf_ip_init); #ifdef CONFIG_SECURITY_SELINUX_DISABLE static void selinux_nf_ip_exit(void) { - printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n"); + printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); nf_unregister_hook(&selinux_ipv4_op); #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] change printks from KERN_INFO to KERN_DEBUG 2006-12-19 21:15 [PATCH] change printks from KERN_INFO to KERN_DEBUG Eric Paris @ 2006-12-19 21:34 ` Stephen Smalley 2006-12-20 20:08 ` Eric Paris 2006-12-19 21:45 ` James Morris 1 sibling, 1 reply; 9+ messages in thread From: Stephen Smalley @ 2006-12-19 21:34 UTC (permalink / raw) To: Eric Paris; +Cc: selinux, James Morris, Steve G On Tue, 2006-12-19 at 16:15 -0500, Eric Paris wrote: > The following patch goes through SELinux code and demotes a number of > printk from KERN_INFO to KERN_DEBUG. This still leaves a number of > KERN_INFO inside security/selinux which are listed below. If anyone > feels that any (all?) of those should be demoted as well just let me > know and i'll post another patch. > > hooks.c: printk(KERN_INFO "%s: There is already a secondary security " Possibly this should be KERN_ERR. Or dropped. > hooks.c: printk(KERN_INFO "%s: Registering secondary module %s\n", I'd keep this one as KERN_INFO or turn it into an audit message. > hooks.c: printk(KERN_INFO "%s: trying to unregister a security module " KERN_ERR or drop. > hooks.c: printk(KERN_INFO "SELinux: Disabled at boot.\n"); Keep as KERN_INFO or turn it into an audit message. Corresponds to booting with selinux=0. > hooks.c: printk(KERN_INFO "SELinux: Initializing.\n"); > hooks.c: printk(KERN_INFO "SELinux: Starting in enforcing mode\n"); > hooks.c: printk(KERN_INFO "SELinux: Starting in permissive mode\n"); I'd turn the above three messages into KERN_DEBUG messages. > hooks.c: printk(KERN_INFO "SELinux: Disabled at runtime.\n"); Keep as KERN_INFO or turn into audit. Corresponds to SELINUX=disabled in /etc/selinux/config or equivalent (e.g. boot with init=/bin/bash and write to /selinux/disable). > ss/avtab.c: printk(KERN_INFO "%s: %d entries and %d/%d buckets used, longest " <- wrapped in DEBUG_HASHES > ss/policydb.c: printk(KERN_INFO "%s: %d entries and %d/%d buckets used, " <- wrapped in DEBUG_HASHES KERN_DEBUG. > ss/policydb.c: printk(KERN_INFO "security: %d users, %d roles, %d types, %d bools", > ss/policydb.c: printk(KERN_INFO "security: %d classes, %d rules\n", Not sure. Possibly KERN_DEBUG. > ss/services.c: printk(KERN_INFO <- missing class definitions in policy > ss/services.c: printk(KERN_INFO <- missing permission definitions in policy > ss/services.c: printk(KERN_INFO <- missing inherit definitions in policy Possibly an audit message? > ss/sidtab.c: printk(KERN_INFO "%s: %d entries and %d/%d buckets used, longest " <- inside #if 0 KERN_DEBUG or drop. > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 65fb5e8..e7cc553 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -654,11 +654,11 @@ static int superblock_doinit(struct super_block *sb, void *data) > sbsec->initialized = 1; > > if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) { > - printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n", > + printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), unknown behavior\n", > sb->s_id, sb->s_type->name); This one should actually be KERN_ERR, I suspect. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] change printks from KERN_INFO to KERN_DEBUG 2006-12-19 21:34 ` Stephen Smalley @ 2006-12-20 20:08 ` Eric Paris 2006-12-20 20:34 ` Stephen Smalley 2006-12-20 22:24 ` Steve G 0 siblings, 2 replies; 9+ messages in thread From: Eric Paris @ 2006-12-20 20:08 UTC (permalink / raw) To: Stephen Smalley; +Cc: selinux, James Morris, Steve G This patch I do not plan to turn anything into an audit messages. If anyone has opinions on what should be audited rather than just printk'd I'd be glad to do that in the future. > > hooks.c: printk(KERN_INFO "SELinux: Initializing.\n"); > > hooks.c: printk(KERN_INFO "SELinux: Starting in enforcing mode\n"); > > hooks.c: printk(KERN_INFO "SELinux: Starting in permissive mode\n"); > > I'd turn the above three messages into KERN_DEBUG messages. I want to leave these as .info. I know it is useful when people go back and look at syslog/dmesg (support organizations) to know how things actually started. It isn't a repeating message and is no different than the 'disabled' messages which you seem to think should stay. > > ss/services.c: printk(KERN_INFO <- missing class definitions in policy > > ss/services.c: printk(KERN_INFO <- missing permission definitions in policy > > ss/services.c: printk(KERN_INFO <- missing inherit definitions in policy > > Possibly an audit message? Maybe it should be an audit as well. Any opinions? But for now (against James's suggestion) I think these should stay as .info. Maybe we should add 'you may want to look for a new policy which includes these missing definitions.' This is the type of message that should cause the user to do something. Thoughts? security/selinux/hooks.c | 16 ++++++++-------- security/selinux/ss/avtab.c | 2 +- security/selinux/ss/policydb.c | 6 +++--- security/selinux/ss/sidtab.c | 2 +- 4 files changed, 13 insertions(+), 13 deletions(-) diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c index 65fb5e8..5cc9e1d 100644 --- a/security/selinux/hooks.c +++ b/security/selinux/hooks.c @@ -654,11 +654,11 @@ static int superblock_doinit(struct super_block *sb, void *data) sbsec->initialized = 1; if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) { - printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n", + printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", sb->s_id, sb->s_type->name); } else { - printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n", + printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n", sb->s_id, sb->s_type->name, labeling_behaviors[sbsec->behavior-1]); } @@ -4391,7 +4391,7 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) static int selinux_register_security (const char *name, struct security_operations *ops) { if (secondary_ops != original_ops) { - printk(KERN_INFO "%s: There is already a secondary security " + printk(KERN_ERR "%s: There is already a secondary security " "module registered.\n", __FUNCTION__); return -EINVAL; } @@ -4408,7 +4408,7 @@ static int selinux_register_security (const char *name, struct security_operatio static int selinux_unregister_security (const char *name, struct security_operations *ops) { if (ops != secondary_ops) { - printk (KERN_INFO "%s: trying to unregister a security module " + printk(KERN_ERR "%s: trying to unregister a security module " "that is not registered.\n", __FUNCTION__); return -EINVAL; } @@ -4864,10 +4864,10 @@ static __init int selinux_init(void) void selinux_complete_init(void) { - printk(KERN_INFO "SELinux: Completing initialization.\n"); + printk(KERN_DEBUG "SELinux: Completing initialization.\n"); /* Set up any superblocks initialized prior to the policy load. */ - printk(KERN_INFO "SELinux: Setting up existing superblocks.\n"); + printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); spin_lock(&sb_lock); spin_lock(&sb_security_lock); next_sb: @@ -4926,7 +4926,7 @@ static int __init selinux_nf_ip_init(void) if (!selinux_enabled) goto out; - printk(KERN_INFO "SELinux: Registering netfilter hooks\n"); + printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); err = nf_register_hook(&selinux_ipv4_op); if (err) @@ -4949,7 +4949,7 @@ __initcall(selinux_nf_ip_init); #ifdef CONFIG_SECURITY_SELINUX_DISABLE static void selinux_nf_ip_exit(void) { - printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n"); + printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); nf_unregister_hook(&selinux_ipv4_op); #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c index ebb993c..37b20e1 100644 --- a/security/selinux/ss/avtab.c +++ b/security/selinux/ss/avtab.c @@ -278,7 +278,7 @@ void avtab_hash_eval(struct avtab *h, char *tag) } } - printk(KERN_INFO "%s: %d entries and %d/%d buckets used, longest " + printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, longest " "chain length %d\n", tag, h->nel, slots_used, AVTAB_SIZE, max_chain_len); } diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c index cd79c63..0ac1021 100644 --- a/security/selinux/ss/policydb.c +++ b/security/selinux/ss/policydb.c @@ -374,7 +374,7 @@ static void symtab_hash_eval(struct symtab *s) struct hashtab_info info; hashtab_stat(h, &info); - printk(KERN_INFO "%s: %d entries and %d/%d buckets used, " + printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, " "longest chain length %d\n", symtab_name[i], h->nel, info.slots_used, h->size, info.max_chain_len); } @@ -391,14 +391,14 @@ static int policydb_index_others(struct policydb *p) { int i, rc = 0; - printk(KERN_INFO "security: %d users, %d roles, %d types, %d bools", + printk(KERN_DEBUG "security: %d users, %d roles, %d types, %d bools", p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim); if (selinux_mls_enabled) printk(", %d sens, %d cats", p->p_levels.nprim, p->p_cats.nprim); printk("\n"); - printk(KERN_INFO "security: %d classes, %d rules\n", + printk(KERN_DEBUG "security: %d classes, %d rules\n", p->p_classes.nprim, p->te_avtab.nel); #ifdef DEBUG_HASHES diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c index 871c33b..1599edb 100644 --- a/security/selinux/ss/sidtab.c +++ b/security/selinux/ss/sidtab.c @@ -254,7 +254,7 @@ void sidtab_hash_eval(struct sidtab *h, char *tag) } } - printk(KERN_INFO "%s: %d entries and %d/%d buckets used, longest " + printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, longest " "chain length %d\n", tag, h->nel, slots_used, SIDTAB_SIZE, max_chain_len); } -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply related [flat|nested] 9+ messages in thread
* Re: [PATCH] change printks from KERN_INFO to KERN_DEBUG 2006-12-20 20:08 ` Eric Paris @ 2006-12-20 20:34 ` Stephen Smalley 2006-12-20 22:24 ` Steve G 1 sibling, 0 replies; 9+ messages in thread From: Stephen Smalley @ 2006-12-20 20:34 UTC (permalink / raw) To: Eric Paris; +Cc: selinux, James Morris, Steve G On Wed, 2006-12-20 at 15:08 -0500, Eric Paris wrote: > This patch I do not plan to turn anything into an audit messages. If > anyone has opinions on what should be audited rather than just printk'd > I'd be glad to do that in the future. > > > > hooks.c: printk(KERN_INFO "SELinux: Initializing.\n"); > > > hooks.c: printk(KERN_INFO "SELinux: Starting in enforcing mode\n"); > > > hooks.c: printk(KERN_INFO "SELinux: Starting in permissive mode\n"); > > > > I'd turn the above three messages into KERN_DEBUG messages. > > I want to leave these as .info. I know it is useful when people go back > and look at syslog/dmesg (support organizations) to know how things > actually started. It isn't a repeating message and is no different than > the 'disabled' messages which you seem to think should stay. Up to you, but it isn't as useful as you might think: - SELinux: Initializing only tells you that SELinux started initialization, not whether a policy was ever loaded or the system was ever put into enforcing mode. - SELinux: Starting in... only tells you the boot-time state, which in Red Hat kernels is _always_ permissive unless you boot with enforcing=1. Otherwise, enforcing mode isn't entered until /sbin/init makes its security_setenforce() call. And note that enforcing mode isn't really meaningful until policy is loaded. sestatus(8) is more useful for checking whether the active system truly has SELinux enabled and enforcing. > > > ss/services.c: printk(KERN_INFO <- missing class definitions in policy > > > ss/services.c: printk(KERN_INFO <- missing permission definitions in policy > > > ss/services.c: printk(KERN_INFO <- missing inherit definitions in policy > > > > Possibly an audit message? > > Maybe it should be an audit as well. Any opinions? But for now > (against James's suggestion) I think these should stay as .info. Maybe > we should add 'you may want to look for a new policy which includes > these missing definitions.' This is the type of message that should > cause the user to do something. I agree that they merit more than KERN_DEBUG, as they may reflect a need to update policy. However, it doesn't _require_ the user to do anything (assuming you proceed with a revised patch to support allowing unknown classes and permissions), and usual position of Fedora seems to have been to ship newer upstream kernels but _not_ newer upstream policies. > Thoughts? > > security/selinux/hooks.c | 16 ++++++++-------- > security/selinux/ss/avtab.c | 2 +- > security/selinux/ss/policydb.c | 6 +++--- > security/selinux/ss/sidtab.c | 2 +- > 4 files changed, 13 insertions(+), 13 deletions(-) > > diff --git a/security/selinux/hooks.c b/security/selinux/hooks.c > index 65fb5e8..5cc9e1d 100644 > --- a/security/selinux/hooks.c > +++ b/security/selinux/hooks.c > @@ -654,11 +654,11 @@ static int superblock_doinit(struct super_block *sb, void *data) > sbsec->initialized = 1; > > if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) { > - printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n", > + printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n", > sb->s_id, sb->s_type->name); > } > else { > - printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n", > + printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n", > sb->s_id, sb->s_type->name, > labeling_behaviors[sbsec->behavior-1]); > } > @@ -4391,7 +4391,7 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) > static int selinux_register_security (const char *name, struct security_operations *ops) > { > if (secondary_ops != original_ops) { > - printk(KERN_INFO "%s: There is already a secondary security " > + printk(KERN_ERR "%s: There is already a secondary security " > "module registered.\n", __FUNCTION__); > return -EINVAL; > } > @@ -4408,7 +4408,7 @@ static int selinux_register_security (const char *name, struct security_operatio > static int selinux_unregister_security (const char *name, struct security_operations *ops) > { > if (ops != secondary_ops) { > - printk (KERN_INFO "%s: trying to unregister a security module " > + printk(KERN_ERR "%s: trying to unregister a security module " > "that is not registered.\n", __FUNCTION__); > return -EINVAL; > } > @@ -4864,10 +4864,10 @@ static __init int selinux_init(void) > > void selinux_complete_init(void) > { > - printk(KERN_INFO "SELinux: Completing initialization.\n"); > + printk(KERN_DEBUG "SELinux: Completing initialization.\n"); > > /* Set up any superblocks initialized prior to the policy load. */ > - printk(KERN_INFO "SELinux: Setting up existing superblocks.\n"); > + printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n"); > spin_lock(&sb_lock); > spin_lock(&sb_security_lock); > next_sb: > @@ -4926,7 +4926,7 @@ static int __init selinux_nf_ip_init(void) > if (!selinux_enabled) > goto out; > > - printk(KERN_INFO "SELinux: Registering netfilter hooks\n"); > + printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n"); > > err = nf_register_hook(&selinux_ipv4_op); > if (err) > @@ -4949,7 +4949,7 @@ __initcall(selinux_nf_ip_init); > #ifdef CONFIG_SECURITY_SELINUX_DISABLE > static void selinux_nf_ip_exit(void) > { > - printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n"); > + printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n"); > > nf_unregister_hook(&selinux_ipv4_op); > #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) > diff --git a/security/selinux/ss/avtab.c b/security/selinux/ss/avtab.c > index ebb993c..37b20e1 100644 > --- a/security/selinux/ss/avtab.c > +++ b/security/selinux/ss/avtab.c > @@ -278,7 +278,7 @@ void avtab_hash_eval(struct avtab *h, char *tag) > } > } > > - printk(KERN_INFO "%s: %d entries and %d/%d buckets used, longest " > + printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, longest " > "chain length %d\n", tag, h->nel, slots_used, AVTAB_SIZE, > max_chain_len); > } > diff --git a/security/selinux/ss/policydb.c b/security/selinux/ss/policydb.c > index cd79c63..0ac1021 100644 > --- a/security/selinux/ss/policydb.c > +++ b/security/selinux/ss/policydb.c > @@ -374,7 +374,7 @@ static void symtab_hash_eval(struct symtab *s) > struct hashtab_info info; > > hashtab_stat(h, &info); > - printk(KERN_INFO "%s: %d entries and %d/%d buckets used, " > + printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, " > "longest chain length %d\n", symtab_name[i], h->nel, > info.slots_used, h->size, info.max_chain_len); > } > @@ -391,14 +391,14 @@ static int policydb_index_others(struct policydb *p) > { > int i, rc = 0; > > - printk(KERN_INFO "security: %d users, %d roles, %d types, %d bools", > + printk(KERN_DEBUG "security: %d users, %d roles, %d types, %d bools", > p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim); > if (selinux_mls_enabled) > printk(", %d sens, %d cats", p->p_levels.nprim, > p->p_cats.nprim); > printk("\n"); > > - printk(KERN_INFO "security: %d classes, %d rules\n", > + printk(KERN_DEBUG "security: %d classes, %d rules\n", > p->p_classes.nprim, p->te_avtab.nel); > > #ifdef DEBUG_HASHES > diff --git a/security/selinux/ss/sidtab.c b/security/selinux/ss/sidtab.c > index 871c33b..1599edb 100644 > --- a/security/selinux/ss/sidtab.c > +++ b/security/selinux/ss/sidtab.c > @@ -254,7 +254,7 @@ void sidtab_hash_eval(struct sidtab *h, char *tag) > } > } > > - printk(KERN_INFO "%s: %d entries and %d/%d buckets used, longest " > + printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, longest " > "chain length %d\n", tag, h->nel, slots_used, SIDTAB_SIZE, > max_chain_len); > } Acked-by: Stephen Smalley <sds@tycho.nsa.gov> -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] change printks from KERN_INFO to KERN_DEBUG 2006-12-20 20:08 ` Eric Paris 2006-12-20 20:34 ` Stephen Smalley @ 2006-12-20 22:24 ` Steve G 2006-12-21 3:07 ` Eric Paris 1 sibling, 1 reply; 9+ messages in thread From: Steve G @ 2006-12-20 22:24 UTC (permalink / raw) To: Eric Paris, Stephen Smalley; +Cc: selinux, James Morris, Steve G >> > ss/services.c: printk(KERN_INFO <- missing class definitions in policy >> > ss/services.c: printk(KERN_INFO <- missing permission definitions in policy >> > ss/services.c: printk(KERN_INFO <- missing inherit definitions in policy >> >> Possibly an audit message? > >Maybe it should be an audit as well. Any opinions? Not sure this should be audited. Does this mean that policy will malfunction? Or that labels will not be properly attributed to subj/obj? What is the effect? -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] change printks from KERN_INFO to KERN_DEBUG 2006-12-20 22:24 ` Steve G @ 2006-12-21 3:07 ` Eric Paris 2006-12-21 15:05 ` Steve G 0 siblings, 1 reply; 9+ messages in thread From: Eric Paris @ 2006-12-21 3:07 UTC (permalink / raw) To: Steve G; +Cc: Stephen Smalley, selinux, James Morris On Wed, 2006-12-20 at 14:24 -0800, Steve G wrote: > >> > ss/services.c: printk(KERN_INFO <- missing class definitions in policy > >> > ss/services.c: printk(KERN_INFO <- missing permission definitions in policy > >> > ss/services.c: printk(KERN_INFO <- missing inherit definitions in policy > >> > >> Possibly an audit message? > > > >Maybe it should be an audit as well. Any opinions? > > Not sure this should be audited. Does this mean that policy will malfunction? Or > that labels will not be properly attributed to subj/obj? What is the effect? > > -Steve Currently it means that access decisions which would rely on that class/perm will be denied. They will still be logged based on the kernel's view. So actually the logging is still correct and complete. If I ever get back to my other patch set it would be possible that such access decisions would be allowed rather than denied. These messages are merely an indicator that your policy does not define operations which the kernel may be mediating and the user might have a need to look at finding a newer policy. Except maybe in the (future) 'allow unknown' case, they have little bearing on the actual security or proper auditing of the system. -Eric -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] change printks from KERN_INFO to KERN_DEBUG 2006-12-21 3:07 ` Eric Paris @ 2006-12-21 15:05 ` Steve G 2006-12-21 15:19 ` Stephen Smalley 0 siblings, 1 reply; 9+ messages in thread From: Steve G @ 2006-12-21 15:05 UTC (permalink / raw) To: Eric Paris; +Cc: Stephen Smalley, selinux, James Morris >Currently it means that access decisions which would rely on that >class/perm will be denied. They will still be logged based on the >kernel's view. So actually the logging is still correct and complete. This sounds like it should go to syslog as an error then. Errors do not need to be audited, just access control decisions and significant changes in state of security functions like loading policy, disabling selinux, flipping boolean, etc. I also wonder if there should be a way to cause the system to panic if a policy loads that has these kind of holes in it? -Steve __________________________________________________ Do You Yahoo!? Tired of spam? Yahoo! Mail has the best spam protection around http://mail.yahoo.com -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] change printks from KERN_INFO to KERN_DEBUG 2006-12-21 15:05 ` Steve G @ 2006-12-21 15:19 ` Stephen Smalley 0 siblings, 0 replies; 9+ messages in thread From: Stephen Smalley @ 2006-12-21 15:19 UTC (permalink / raw) To: Steve G; +Cc: Eric Paris, selinux, James Morris On Thu, 2006-12-21 at 07:05 -0800, Steve G wrote: > >Currently it means that access decisions which would rely on that > >class/perm will be denied. They will still be logged based on the > >kernel's view. So actually the logging is still correct and complete. > > This sounds like it should go to syslog as an error then. Errors do not need to > be audited, just access control decisions and significant changes in state of > security functions like loading policy, disabling selinux, flipping boolean, etc. > > I also wonder if there should be a way to cause the system to panic if a policy > loads that has these kind of holes in it? The plan is to support three options, selectable when policy is built/generated: - reject policy at load time (in which case userspace can handle it as desired - init will already halt the system if enforcing and it cannot load policy; policy package would just report an error from %post for updates), - accept policy at load time and deny undefined classes/perms, - accept policy at load time and allow undefined classes/perms. In any event, I think printk KERN_INFO is appropriate for these particular messages about missing classes and perms. Then if the config flag is to reject the policy, an error message can be generated, or if the config flag is to accept the policy and deny undefined classes/perms, we'll get audit messages from the AVC upon any attempts to use those undefined classes/perms. -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
* Re: [PATCH] change printks from KERN_INFO to KERN_DEBUG 2006-12-19 21:15 [PATCH] change printks from KERN_INFO to KERN_DEBUG Eric Paris 2006-12-19 21:34 ` Stephen Smalley @ 2006-12-19 21:45 ` James Morris 1 sibling, 0 replies; 9+ messages in thread From: James Morris @ 2006-12-19 21:45 UTC (permalink / raw) To: Eric Paris; +Cc: selinux, sds, James Morris On Tue, 19 Dec 2006, Eric Paris wrote: > The following patch goes through SELinux code and demotes a number of > printk from KERN_INFO to KERN_DEBUG. This still leaves a number of > KERN_INFO inside security/selinux which are listed below. If anyone > feels that any (all?) of those should be demoted as well just let me > know and i'll post another patch. > > hooks.c: printk(KERN_INFO "%s: There is already a secondary security " > hooks.c: printk(KERN_INFO "%s: Registering secondary module %s\n", > hooks.c: printk(KERN_INFO "%s: trying to unregister a security module " > hooks.c: printk(KERN_INFO "SELinux: Disabled at boot.\n"); > hooks.c: printk(KERN_INFO "SELinux: Initializing.\n"); > hooks.c: printk(KERN_INFO "SELinux: Starting in enforcing mode\n"); > hooks.c: printk(KERN_INFO "SELinux: Starting in permissive mode\n"); > hooks.c: printk(KERN_INFO "SELinux: Disabled at runtime.\n"); These look ok. > ss/avtab.c: printk(KERN_INFO "%s: %d entries and %d/%d buckets used, longest " <- wrapped in DEBUG_HASHES > ss/policydb.c: printk(KERN_INFO "%s: %d entries and %d/%d buckets used, " <- wrapped in DEBUG_HASHES > ss/policydb.c: printk(KERN_INFO "security: %d users, %d roles, %d types, %d bools", > ss/policydb.c: printk(KERN_INFO "security: %d classes, %d rules\n", > ss/services.c: printk(KERN_INFO <- missing class definitions in policy > ss/services.c: printk(KERN_INFO <- missing permission definitions in policy > ss/services.c: printk(KERN_INFO <- missing inherit definitions in policy > ss/sidtab.c: printk(KERN_INFO "%s: %d entries and %d/%d buckets used, longest " <- inside #if 0 I think these should all be KERN_DEBUG. -- James Morris <jmorris@namei.org> -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message. ^ permalink raw reply [flat|nested] 9+ messages in thread
end of thread, other threads:[~2006-12-21 15:19 UTC | newest] Thread overview: 9+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2006-12-19 21:15 [PATCH] change printks from KERN_INFO to KERN_DEBUG Eric Paris 2006-12-19 21:34 ` Stephen Smalley 2006-12-20 20:08 ` Eric Paris 2006-12-20 20:34 ` Stephen Smalley 2006-12-20 22:24 ` Steve G 2006-12-21 3:07 ` Eric Paris 2006-12-21 15:05 ` Steve G 2006-12-21 15:19 ` Stephen Smalley 2006-12-19 21:45 ` James Morris
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.