[PATCH] --secontext: Implement displaying of expected context upon mismatch
Dmitry V. Levin
ldv at altlinux.org
Mon Dec 6 14:44:34 UTC 2021
On Wed, Oct 06, 2021 at 09:39:02PM +0200, Renaud Métrich wrote:
> This patch add a new "mismatch" option to --secontext which enables to
> print the expected context extracted from SELinux database when it
> differs from current context.
> This is very useful when troubleshooting SELinux issues.
> Also available as a PR: https://github.com/strace/strace/pull/197
> (and more details there).
> Note: the code coverage is complete on my system running Fedora, but not
> on the CI because selabel_open()/selabel_lookup() isn't available in the
> provided libselinux library (which is known to return invalid contexts
> I'm hence attaching my code coverage results as well for secontext.c and
> strace.c which are the 2 files modified.
> New options to --secontext=...
> - short: (default, print type only)
As suggested by Eugene, if it's type only, let's call it "type".
> - mismatch: print expected context on mismatch
"mismatch" is fine, but looks like "full" also includes "mismatch",
turning "full" into an all-encompassing --secontext option.
I'd like to make --secontext implementation use qualify_tokens() parser
like many other options of that kind including the latest --decode-pids.
Let's say that --secontext means --secontext=type, "full" includes "type"
so that --secontext=full engulfs --secontext=type, "mismatch" is not
included into "full" so one would have to use --secontext=full,mismatch.
As a side effect of using qualify_tokens(), there would be
--secontext=none disabling the whole thing, and --secontext=all enabling
all bits including all future bits.
Does this make sense?
More information about the Strace-devel