Proposing SELinux support in strace

Renaud Métrich rmetrich at redhat.com
Tue Nov 17 11:19:06 UTC 2020


Well I'm ok to change the interface :-)

Most users will just need the short version (e.g. "unconfined_t").

I have no idea how to have parameters, but will check this, something 
like --secontext:full likely.

On 11/17/20 10:47 AM, Dmitry V. Levin wrote:
> Hi,
>
> On Tue, Nov 17, 2020 at 09:25:29AM +0100, Renaud Métrich wrote:
>> Dear developers,
>>
>> I'm proposing to add SELinux support into strace through using
>> "--secontext" option.
>>
>> This is very useful when debugging SELinux issues, in particular when a
>> process runs in an unexpected context or didn't transition properly, or
>> when a file being opened has not the proper context resulting in a EPERM.
>>
>> Sub-option |--typeonly| may be used to only print the type, as shown in
>> the examples below:
> Thanks, this is a nice feature.  I'm not sure about the interface,
> though: do we really want to introduce two different but interdependent
> options, or would it be better to introduce a single option with
> parameters?
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_0x5D129094FB6E4326.asc
Type: application/pgp-keys
Size: 3087 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20201117/35f3e620/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20201117/35f3e620/attachment-0001.bin>


More information about the Strace-devel mailing list