[RFC PATCH 4/6] selinux: improve network lookup failure warnings

From: Christian Göttsche
Date: Tue Mar 18 2025 - 04:36:03 EST

Next message: Christian Göttsche: "[RFC PATCH 1/6] selinux: constify network address pointer"
Previous message: Christian Göttsche: "[RFC PATCH 5/6] selinux: unify OOM handling in network hashtables"
In reply to: Christian Göttsche: "[RFC PATCH 5/6] selinux: unify OOM handling in network hashtables"
Next in thread: Christian Göttsche: "[RFC PATCH 1/6] selinux: constify network address pointer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

From: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>

Rate limit the warnings and include additional available information.

Signed-off-by: Christian Göttsche <cgzones@xxxxxxxxxxxxxx>
---
security/selinux/netif.c | 8 ++++----
security/selinux/netnode.c | 4 ++--
security/selinux/netport.c | 4 ++--
3 files changed, 8 insertions(+), 8 deletions(-)

diff --git a/security/selinux/netif.c b/security/selinux/netif.c
index 43a0d3594b72..38fdba1e64bf 100644
--- a/security/selinux/netif.c
+++ b/security/selinux/netif.c
@@ -141,8 +141,8 @@ static int sel_netif_sid_slow(struct net *ns, int ifindex, u32 *sid)

dev = dev_get_by_index(ns, ifindex);
if (unlikely(dev == NULL)) {
- pr_warn("SELinux: failure in %s(), invalid network interface (%d)\n",
- __func__, ifindex);
+ pr_warn_ratelimited("SELinux: failure in %s(), invalid network interface (%d)\n",
+ __func__, ifindex);
return -ENOENT;
}

@@ -169,8 +169,8 @@ static int sel_netif_sid_slow(struct net *ns, int ifindex, u32 *sid)
spin_unlock_bh(&sel_netif_lock);
dev_put(dev);
if (unlikely(ret))
- pr_warn("SELinux: failure in %s(), unable to determine network interface label (%d)\n",
- __func__, ifindex);
+ pr_warn_ratelimited("SELinux: failure in %s(), unable to determine network interface label (%d): %d\n",
+ __func__, ifindex, ret);
return ret;
}

diff --git a/security/selinux/netnode.c b/security/selinux/netnode.c
index 8bb456d80dd5..76cf531af110 100644
--- a/security/selinux/netnode.c
+++ b/security/selinux/netnode.c
@@ -228,8 +228,8 @@ static int sel_netnode_sid_slow(const void *addr, u16 family, u32 *sid)

spin_unlock_bh(&sel_netnode_lock);
if (unlikely(ret))
- pr_warn("SELinux: failure in %s(), unable to determine network node label\n",
- __func__);
+ pr_warn_ratelimited("SELinux: failure in %s(), unable to determine network node label (%d): %d\n",
+ __func__, family, ret);
return ret;
}

diff --git a/security/selinux/netport.c b/security/selinux/netport.c
index 7d2207384d40..dadf14984fb4 100644
--- a/security/selinux/netport.c
+++ b/security/selinux/netport.c
@@ -162,8 +162,8 @@ static int sel_netport_sid_slow(u8 protocol, u16 pnum, u32 *sid)
out:
spin_unlock_bh(&sel_netport_lock);
if (unlikely(ret))
- pr_warn("SELinux: failure in %s(), unable to determine network port label\n",
- __func__);
+ pr_warn_ratelimited("SELinux: failure in %s(), unable to determine network port label (%d:%d): %d\n",
+ __func__, protocol, pnum, ret);
return ret;
}

--
2.49.0

Next message: Christian Göttsche: "[RFC PATCH 1/6] selinux: constify network address pointer"
Previous message: Christian Göttsche: "[RFC PATCH 5/6] selinux: unify OOM handling in network hashtables"
In reply to: Christian Göttsche: "[RFC PATCH 5/6] selinux: unify OOM handling in network hashtables"
Next in thread: Christian Göttsche: "[RFC PATCH 1/6] selinux: constify network address pointer"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]