Sophie

Sophie

distrib > Scientific%20Linux > 5x > x86_64 > by-pkgid > fc11cd6e1c513a17304da94a5390f3cd > files > 3693

kernel-2.6.18-194.11.1.el5.src.rpm

From: Eric Paris <eparis@redhat.com>
Subject: [RHEL5 PATCH] BZ 229874 Supress SELinux printk for messages users 	don't care about
Date: Mon, 30 Apr 2007 16:25:59 -0400
Bugzilla: 229874
Message-Id: <1177964759.3920.11.camel@dhcp59-235.rdu.redhat.com>
Changelog: [security] Supress SELinux printk for messages users don't care about


BZ 229874

The customer from the above BZ complained that on a system where they
were mounting and unmounting lots of filesystems (read automounter) they
got really tired of the log spam that looks like:

Dec 18 16:32:06 buildrm55 kernel: SELinux: initialized (dev 0:39, type
nfs), uses genfs_contexts

Which comes every time a FS is mounted on a machine running with SELinux
enabled.  So upstream we decided to do a run through all of the printk
messages in SELinux code and attempted to demote messages users can
almost always safely ignore to DEBUG and promote messages which are
actually problems to ERR.  Very few printks were left at INFO since
there aren't to many things SELinux can do that users might need to take
action on but aren't actually errors.  In reality to fix the issue they
were complaining about only requires the very first hunk of this patch,
but this is the full patch upstream took.

http://git.kernel.org/?p=linux/kernel/git/torvalds/linux-2.6.git;a=commitdiff;h=fadcdb451632d32d7c0d4c71df9ac2d3b7ae2348

This should silence most all of the SELinux spam.

-Eric

--- linux-2.6.18.i686/security/selinux/hooks.c.pre.printk	2007-04-30 16:21:15.000000000 -0400
+++ linux-2.6.18.i686/security/selinux/hooks.c	2007-04-30 16:23:26.000000000 -0400
@@ -653,11 +653,11 @@ static int superblock_doinit(struct supe
 	sbsec->initialized = 1;
 
 	if (sbsec->behavior > ARRAY_SIZE(labeling_behaviors)) {
-		printk(KERN_INFO "SELinux: initialized (dev %s, type %s), unknown behavior\n",
+		printk(KERN_ERR "SELinux: initialized (dev %s, type %s), unknown behavior\n",
 		       sb->s_id, sb->s_type->name);
 	}
 	else {
-		printk(KERN_INFO "SELinux: initialized (dev %s, type %s), %s\n",
+		printk(KERN_DEBUG "SELinux: initialized (dev %s, type %s), %s\n",
 		       sb->s_id, sb->s_type->name,
 		       labeling_behaviors[sbsec->behavior-1]);
 	}
@@ -4350,7 +4350,7 @@ static int selinux_ipc_permission(struct
 static int selinux_register_security (const char *name, struct security_operations *ops)
 {
 	if (secondary_ops != original_ops) {
-		printk(KERN_INFO "%s:  There is already a secondary security "
+		printk(KERN_ERR "%s:  There is already a secondary security "
 		       "module registered.\n", __FUNCTION__);
 		return -EINVAL;
  	}
@@ -4367,7 +4367,7 @@ static int selinux_register_security (co
 static int selinux_unregister_security (const char *name, struct security_operations *ops)
 {
 	if (ops != secondary_ops) {
-		printk (KERN_INFO "%s:  trying to unregister a security module "
+		printk(KERN_ERR "%s:  trying to unregister a security module "
 		        "that is not registered.\n", __FUNCTION__);
 		return -EINVAL;
 	}
@@ -4812,9 +4812,9 @@ static __init int selinux_init(void)
 		panic("SELinux: Unable to register with kernel.\n");
 
 	if (selinux_enforcing) {
-		printk(KERN_INFO "SELinux:  Starting in enforcing mode\n");
+		printk(KERN_DEBUG "SELinux:  Starting in enforcing mode\n");
 	} else {
-		printk(KERN_INFO "SELinux:  Starting in permissive mode\n");
+		printk(KERN_DEBUG "SELinux:  Starting in permissive mode\n");
 	}
 
 #ifdef CONFIG_KEYS
@@ -4830,10 +4830,10 @@ static __init int selinux_init(void)
 
 void selinux_complete_init(void)
 {
-	printk(KERN_INFO "SELinux:  Completing initialization.\n");
+	printk(KERN_DEBUG "SELinux:  Completing initialization.\n");
 
 	/* Set up any superblocks initialized prior to the policy load. */
-	printk(KERN_INFO "SELinux:  Setting up existing superblocks.\n");
+	printk(KERN_DEBUG "SELinux:  Setting up existing superblocks.\n");
 	spin_lock(&sb_lock);
 	spin_lock(&sb_security_lock);
 next_sb:
@@ -4891,9 +4891,9 @@ static int __init selinux_nf_ip_init(voi
 
 	if (!selinux_enabled)
 		goto out;
-		
-	printk(KERN_INFO "SELinux:  Registering netfilter hooks\n");
-	
+
+	printk(KERN_DEBUG "SELinux:  Registering netfilter hooks\n");
+
 	err = nf_register_hook(&selinux_ipv4_op);
 	if (err)
 		panic("SELinux: nf_register_hook for IPv4: error %d\n", err);
@@ -4915,7 +4915,7 @@ __initcall(selinux_nf_ip_init);
 #ifdef CONFIG_SECURITY_SELINUX_DISABLE
 static void selinux_nf_ip_exit(void)
 {
-	printk(KERN_INFO "SELinux:  Unregistering netfilter hooks\n");
+	printk(KERN_DEBUG "SELinux:  Unregistering netfilter hooks\n");
 
 	nf_unregister_hook(&selinux_ipv4_op);
 #if defined(CONFIG_IPV6) || defined(CONFIG_IPV6_MODULE)
--- linux-2.6.18.i686/security/selinux/ss/sidtab.c.pre.printk	2006-09-19 23:42:06.000000000 -0400
+++ linux-2.6.18.i686/security/selinux/ss/sidtab.c	2007-04-30 16:23:26.000000000 -0400
@@ -254,7 +254,7 @@ void sidtab_hash_eval(struct sidtab *h, 
 		}
 	}
 
-	printk(KERN_INFO "%s:  %d entries and %d/%d buckets used, longest "
+	printk(KERN_DEBUG "%s:  %d entries and %d/%d buckets used, longest "
 	       "chain length %d\n", tag, h->nel, slots_used, SIDTAB_SIZE,
 	       max_chain_len);
 }
--- linux-2.6.18.i686/security/selinux/ss/avtab.c.pre.printk	2006-09-19 23:42:06.000000000 -0400
+++ linux-2.6.18.i686/security/selinux/ss/avtab.c	2007-04-30 16:23:26.000000000 -0400
@@ -278,7 +278,7 @@ void avtab_hash_eval(struct avtab *h, ch
 		}
 	}
 
-	printk(KERN_INFO "%s:  %d entries and %d/%d buckets used, longest "
+	printk(KERN_DEBUG "%s:  %d entries and %d/%d buckets used, longest "
 	       "chain length %d\n", tag, h->nel, slots_used, AVTAB_SIZE,
 	       max_chain_len);
 }
--- linux-2.6.18.i686/security/selinux/ss/policydb.c.pre.printk	2007-04-30 16:21:09.000000000 -0400
+++ linux-2.6.18.i686/security/selinux/ss/policydb.c	2007-04-30 16:23:26.000000000 -0400
@@ -374,7 +374,7 @@ static void symtab_hash_eval(struct symt
 		struct hashtab_info info;
 
 		hashtab_stat(h, &info);
-		printk(KERN_INFO "%s:  %d entries and %d/%d buckets used, "
+		printk(KERN_DEBUG "%s:  %d entries and %d/%d buckets used, "
 		       "longest chain length %d\n", symtab_name[i], h->nel,
 		       info.slots_used, h->size, info.max_chain_len);
 	}
@@ -391,14 +391,14 @@ static int policydb_index_others(struct 
 {
 	int i, rc = 0;
 
-	printk(KERN_INFO "security:  %d users, %d roles, %d types, %d bools",
+	printk(KERN_DEBUG "security:  %d users, %d roles, %d types, %d bools",
 	       p->p_users.nprim, p->p_roles.nprim, p->p_types.nprim, p->p_bools.nprim);
 	if (selinux_mls_enabled)
 		printk(", %d sens, %d cats", p->p_levels.nprim,
 		       p->p_cats.nprim);
 	printk("\n");
 
-	printk(KERN_INFO "security:  %d classes, %d rules\n",
+	printk(KERN_DEBUG "security:  %d classes, %d rules\n",
 	       p->p_classes.nprim, p->te_avtab.nel);
 
 #ifdef DEBUG_HASHES

Perl :: Catalyst :: PostgreSQL :: RPM Valid HTML 4.01 Transitional