selinux: improve debug configuration

If the SELinux debug configuration is enabled define the macro DEBUG
such that pr_debug() calls are always enabled, regardless of
CONFIG_DYNAMIC_DEBUG, since those message are the main reason for this
configuration in the first place.

Mention example usage in case CONFIG_DYNAMIC_DEBUG is enabled in the
help section of the configuration.

Signed-off-by: Christian Göttsche <cgzones@googlemail.com>
Reviewed-by: Stephen Smalley <stephen.smalley.work@gmail.com>
Signed-off-by: Paul Moore <paul@paul-moore.com>

diff --git a/security/selinux/Kconfig b/security/selinux/Kconfig
index d30348fbe0df33fd00fe20bce614d578c26acaf4..61abc1e094a800c3f25577f9c771f5700322d2fa 100644 (file)
--- a/security/selinux/Kconfig
+++ b/security/selinux/Kconfig
@@ -77,3 +77,13 @@ config SECURITY_SELINUX_DEBUG
          This enables debugging code designed to help SELinux kernel
          developers, unless you know what this does in the kernel code you
          should leave this disabled.
+
+         To fine control the messages to be printed enable
+         CONFIG_DYNAMIC_DEBUG and see
+         Documentation/admin-guide/dynamic-debug-howto.rst for additional
+         information.
+
+         Example usage:
+
+               echo -n 'file "security/selinux/*" +p' > \
+                       /proc/dynamic_debug/control

diff --git a/security/selinux/Makefile b/security/selinux/Makefile
index 83637963905885db5a327bb6be580f4c2ea50bb0..c47519ed81565eb409330ffa39d22724f2ed3ac0 100644 (file)
--- a/security/selinux/Makefile
+++ b/security/selinux/Makefile
@@ -12,6 +12,8 @@ obj-$(CONFIG_SECURITY_SELINUX) := selinux.o
 
 ccflags-y := -I$(srctree)/security/selinux -I$(srctree)/security/selinux/include
 
+ccflags-$(CONFIG_SECURITY_SELINUX_DEBUG) += -DDEBUG
+
 selinux-y := avc.o hooks.o selinuxfs.o netlink.o nlmsgtab.o netif.o \
             netnode.o netport.o status.o \
             ss/ebitmap.o ss/hashtab.o ss/symtab.o ss/sidtab.o ss/avtab.o \