More verbose reporting when applying access rules or CIPSO

[jarkkojs]

To make debugging easier smackload said whether writing rules to kernel or reading them from rules file failed.

[jarkkojs]

And that was on purpose BTW. The file-level granularity is non-feasible when performance of applying multiple files is optimized. The current patch has the best possible granularity. Please remember that if we start to merge rules things go even more complex because then there is no direct correspondence between applied rule and file.

What you could do to provide some insight is to add functions such as:

enum smack_rule { SMACK_RULE_SUBJECT, SMACK_RULE_OBJECT, SMACK_RULE_ALLOW_ACCESS,
                             SMACK_RULE_DENY_ACCESS};

void smack_accesses_get_from_current(struct smack_accesses *accesses, enum smack_rule,
                                                            char *buffer, int size);

This would return values from latest applied rule (which would be failing rule when apply fails).

[jarkkojs]

I opened issue for this #63 as a backlog item..

[jarkkojs]

It would make sense to report directory name when applying directory fails and file name when applying single file fails. That would improve granularity and is not affected even if there will be merging on rules. Would be less intrusive than adding that kind of function..