libselinux: load_policy: log using selinux_log instead of fprintf

WavyEbuilder · stephensmalley · commit ea29052c20c9 · 2025-07-31T10:10:56.000-04:00
This allows consumers to override our logging to stderr using the
callback based mechanism selinux_log provides.

Signed-off-by: Rahul Sandhu &lt;nvraxn@gmail.com&gt;
Acked-by: Stephen Smalley &lt;stephen.smalley.work@gmail.com&gt;
diff --git a/libselinux/src/load_policy.c b/libselinux/src/load_policy.c
@@ -16,6 +16,7 @@
 #include <sepol/policydb.h>
 #endif
 #include <dlfcn.h>
+#include "callbacks.h"
 #include "policy.h"
 #include <limits.h>
 
@@ -136,25 +137,25 @@ int selinux_mkload_policy(int preservebools __attribute__((unused)))
 		fd = open(path, O_RDONLY | O_CLOEXEC);
 	}
 	if (fd < 0) {
-		fprintf(stderr,
-			"SELinux:  Could not open policy file <= %s.%d:  %m\n",
-			selinux_binary_policy_path(), maxvers);
+		selinux_log(SELINUX_ERROR,
+		            "SELinux:  Could not open policy file <= %s.%d:  %m\n",
+		            selinux_binary_policy_path(), maxvers);
 		goto dlclose;
 	}
 
 	if (fstat(fd, &sb) < 0) {
-		fprintf(stderr,
-			"SELinux:  Could not stat policy file %s:  %m\n",
-			path);
+		selinux_log(SELINUX_ERROR,
+		            "SELinux:  Could not stat policy file %s:  %m\n",
+		            path);
 		goto close;
 	}
 
 	size = sb.st_size;
 	data = map = mmap(NULL, size, PROT_READ, MAP_PRIVATE, fd, 0);
 	if (map == MAP_FAILED) {
-		fprintf(stderr,
-			"SELinux:  Could not map policy file %s:  %m\n",
-			path);
+		selinux_log(SELINUX_ERROR,
+		            "SELinux:  Could not map policy file %s:  %m\n",
+		            path);
 		goto close;
 	}
 
@@ -175,9 +176,9 @@ int selinux_mkload_policy(int preservebools __attribute__((unused)))
 		if (policydb_set_vers(policydb, kernvers) ||
 		    policydb_to_image(NULL, policydb, &data, &size)) {
 			/* Downgrade failed, keep searching. */
-			fprintf(stderr,
-				"SELinux:  Could not downgrade policy file %s, searching for an older version.\n",
-				path);
+			selinux_log(SELINUX_ERROR,
+			            "SELinux:  Could not downgrade policy file %s, searching for an older version.\n",
+			            path);
 			policy_file_free(pf);
 			policydb_free(policydb);
 			munmap(map, sb.st_size);
@@ -192,9 +193,9 @@ int selinux_mkload_policy(int preservebools __attribute__((unused)))
 	rc = security_load_policy(data, size);
 	
 	if (rc)
-		fprintf(stderr,
-			"SELinux:  Could not load policy file %s:  %m\n",
-			path);
+		selinux_log(SELINUX_ERROR,
+		            "SELinux:  Could not load policy file %s:  %m\n",
+		            path);
 
       unmap:
 	if (data != map)
@@ -205,7 +206,7 @@ int selinux_mkload_policy(int preservebools __attribute__((unused)))
       dlclose:
 #ifdef SHARED
 	if (errormsg)
-		fprintf(stderr, "libselinux:  %s\n", errormsg);
+		selinux_log(SELINUX_ERROR, "libselinux:  %s\n", errormsg);
 	if (libsepolh)
 		dlclose(libsepolh);
 #endif
@@ -317,7 +318,7 @@ int selinux_init_load_policy(int *enforce)
 			*enforce = 0;
 		} else {
 			/* Only emit this error if selinux was not disabled */
-			fprintf(stderr, "Mount failed for selinuxfs on %s:  %m\n", SELINUXMNT);
+			selinux_log(SELINUX_ERROR, "Mount failed for selinuxfs on %s:  %m\n", SELINUXMNT);
 		}
 
 		if (rc == 0)
@@ -365,7 +366,7 @@ int selinux_init_load_policy(int *enforce)
 	if (orig_enforce != *enforce) {
 		rc = security_setenforce(*enforce);
 		if (rc < 0) {
-			fprintf(stderr, "SELinux:  Unable to switch to %s mode:  %m\n", (*enforce ? "enforcing" : "permissive"));
+			selinux_log(SELINUX_ERROR, "SELinux:  Unable to switch to %s mode:  %m\n", (*enforce ? "enforcing" : "permissive"));
 			if (*enforce)
 				goto noload;
 		}
