提交 fadcdb45 编写于 作者: E Eric Paris 提交者: James Morris

Reassign printk levels in selinux kernel code

Below is a patch which demotes many printk lines to KERN_DEBUG from
KERN_INFO.  It should help stop the spamming of logs with messages in
which users are not interested nor is there any action that users should
take.  It also promotes some KERN_INFO to KERN_ERR such as when there
are improper attempts to register/unregister security modules.

A similar patch was discussed a while back on list:
http://marc.theaimsgroup.com/?t=116656343500003&r=1&w=2
This patch addresses almost all of the issues raised.  I believe the
only advice not taken was in the demoting of messages related to
undefined permissions and classes.
Signed-off-by: NEric Paris <eparis@redhat.com>
Acked-by: NStephen Smalley <sds@tycho.nsa.gov>

 security/selinux/hooks.c       |   20 ++++++++++----------
 security/selinux/ss/avtab.c    |    2 +-
 security/selinux/ss/policydb.c |    6 +++---
 security/selinux/ss/sidtab.c   |    2 +-
 4 files changed, 15 insertions(+), 15 deletions(-)
Signed-off-by: NJames Morris <jmorris@namei.org>
上级 9654640d
...@@ -653,11 +653,11 @@ static int superblock_doinit(struct super_block *sb, void *data) ...@@ -653,11 +653,11 @@ static int superblock_doinit(struct super_block *sb, void *data)
sbsec->initialized = 1; sbsec->initialized = 1;
if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) { if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n", printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
sb->s_id, sb->s_type->name); sb->s_id, sb->s_type->name);
} }
else { else {
printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n", printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
sb->s_id, sb->s_type->name, sb->s_id, sb->s_type->name,
labeling_behaviors[sbsec->behavior-1]); labeling_behaviors[sbsec->behavior-1]);
} }
...@@ -4434,7 +4434,7 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag) ...@@ -4434,7 +4434,7 @@ static int selinux_ipc_permission(struct kern_ipc_perm *ipcp, short flag)
static int selinux_register_security (const char *name, struct security_operations *ops) static int selinux_register_security (const char *name, struct security_operations *ops)
{ {
if (secondary_ops != original_ops) { if (secondary_ops != original_ops) {
printk(KERN_INFO "%s: There is already a secondary security " printk(KERN_ERR "%s: There is already a secondary security "
"module registered.\n", __FUNCTION__); "module registered.\n", __FUNCTION__);
return -EINVAL; return -EINVAL;
} }
...@@ -4451,7 +4451,7 @@ static int selinux_register_security (const char *name, struct security_operatio ...@@ -4451,7 +4451,7 @@ static int selinux_register_security (const char *name, struct security_operatio
static int selinux_unregister_security (const char *name, struct security_operations *ops) static int selinux_unregister_security (const char *name, struct security_operations *ops)
{ {
if (ops != secondary_ops) { if (ops != secondary_ops) {
printk (KERN_INFO "%s: trying to unregister a security module " printk(KERN_ERR "%s: trying to unregister a security module "
"that is not registered.\n", __FUNCTION__); "that is not registered.\n", __FUNCTION__);
return -EINVAL; return -EINVAL;
} }
...@@ -4889,9 +4889,9 @@ static __init int selinux_init(void) ...@@ -4889,9 +4889,9 @@ static __init int selinux_init(void)
panic("SELinux: Unable to register with kernel.\n"); panic("SELinux: Unable to register with kernel.\n");
if (selinux_enforcing) { if (selinux_enforcing) {
printk(KERN_INFO "SELinux: Starting in enforcing mode\n"); printk(KERN_DEBUG "SELinux: Starting in enforcing mode\n");
} else { } else {
printk(KERN_INFO "SELinux: Starting in permissive mode\n"); printk(KERN_DEBUG "SELinux: Starting in permissive mode\n");
} }
#ifdef CONFIG_KEYS #ifdef CONFIG_KEYS
...@@ -4907,10 +4907,10 @@ static __init int selinux_init(void) ...@@ -4907,10 +4907,10 @@ static __init int selinux_init(void)
void selinux_complete_init(void) void selinux_complete_init(void)
{ {
printk(KERN_INFO "SELinux: Completing initialization.\n"); printk(KERN_DEBUG "SELinux: Completing initialization.\n");
/* Set up any superblocks initialized prior to the policy load. */ /* Set up any superblocks initialized prior to the policy load. */
printk(KERN_INFO "SELinux: Setting up existing superblocks.\n"); printk(KERN_DEBUG "SELinux: Setting up existing superblocks.\n");
spin_lock(&sb_lock); spin_lock(&sb_lock);
spin_lock(&sb_security_lock); spin_lock(&sb_security_lock);
next_sb: next_sb:
...@@ -4968,9 +4968,9 @@ static int __init selinux_nf_ip_init(void) ...@@ -4968,9 +4968,9 @@ static int __init selinux_nf_ip_init(void)
if (!selinux_enabled) if (!selinux_enabled)
goto out; goto out;
printk(KERN_INFO "SELinux: Registering netfilter hooks\n"); printk(KERN_DEBUG "SELinux: Registering netfilter hooks\n");
err = nf_register_hook(&selinux_ipv4_op); err = nf_register_hook(&selinux_ipv4_op);
if (err) if (err)
panic("SELinux: nf_register_hook for IPv4: error %d\n", err); panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
...@@ -4992,7 +4992,7 @@ __initcall(selinux_nf_ip_init); ...@@ -4992,7 +4992,7 @@ __initcall(selinux_nf_ip_init);
#ifdef CONFIG_SECURITY_SELINUX_DISABLE #ifdef CONFIG_SECURITY_SELINUX_DISABLE
static void selinux_nf_ip_exit(void) static void selinux_nf_ip_exit(void)
{ {
printk(KERN_INFO "SELinux: Unregistering netfilter hooks\n"); printk(KERN_DEBUG "SELinux: Unregistering netfilter hooks\n");
nf_unregister_hook(&selinux_ipv4_op); nf_unregister_hook(&selinux_ipv4_op);
#if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE) #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
......
...@@ -277,7 +277,7 @@ void avtab_hash_eval(struct avtab *h, char *tag) ...@@ -277,7 +277,7 @@ void avtab_hash_eval(struct avtab *h, char *tag)
} }
} }
printk(KERN_INFO "%s: %d entries and %d/%d buckets used, longest " printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, longest "
"chain length %d\n", tag, h->nel, slots_used, AVTAB_SIZE, "chain length %d\n", tag, h->nel, slots_used, AVTAB_SIZE,
max_chain_len); max_chain_len);
} }
......
...@@ -374,7 +374,7 @@ static void symtab_hash_eval(struct symtab *s) ...@@ -374,7 +374,7 @@ static void symtab_hash_eval(struct symtab *s)
struct hashtab_info info; struct hashtab_info info;
hashtab_stat(h, &info); hashtab_stat(h, &info);
printk(KERN_INFO "%s: %d entries and %d/%d buckets used, " printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, "
"longest chain length %d\n", symtab_name[i], h->nel, "longest chain length %d\n", symtab_name[i], h->nel,
info.slots_used, h->size, info.max_chain_len); info.slots_used, h->size, info.max_chain_len);
} }
...@@ -391,14 +391,14 @@ static int policydb_index_others(struct policydb *p) ...@@ -391,14 +391,14 @@ static int policydb_index_others(struct policydb *p)
{ {
int i, rc = 0; int i, rc = 0;
printk(KERN_INFO "security: %d users, %d roles, %d types, %d bools", printk(KERN_DEBUG "security: %d users, %d roles, %d types, %d bools",
p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim); p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim);
if (selinux_mls_enabled) if (selinux_mls_enabled)
printk(", %d sens, %d cats", p->p_levels.nprim, printk(", %d sens, %d cats", p->p_levels.nprim,
p->p_cats.nprim); p->p_cats.nprim);
printk("\n"); printk("\n");
printk(KERN_INFO "security: %d classes, %d rules\n", printk(KERN_DEBUG "security: %d classes, %d rules\n",
p->p_classes.nprim, p->te_avtab.nel); p->p_classes.nprim, p->te_avtab.nel);
#ifdef DEBUG_HASHES #ifdef DEBUG_HASHES
......
...@@ -253,7 +253,7 @@ void sidtab_hash_eval(struct sidtab *h, char *tag) ...@@ -253,7 +253,7 @@ void sidtab_hash_eval(struct sidtab *h, char *tag)
} }
} }
printk(KERN_INFO "%s: %d entries and %d/%d buckets used, longest " printk(KERN_DEBUG "%s: %d entries and %d/%d buckets used, longest "
"chain length %d\n", tag, h->nel, slots_used, SIDTAB_SIZE, "chain length %d\n", tag, h->nel, slots_used, SIDTAB_SIZE,
max_chain_len); max_chain_len);
} }
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册