[PATCH] --secontext: Implement displaying of expected context upon mismatch

Dmitry V. Levin ldv at altlinux.org
Mon Dec 6 14:44:34 UTC 2021


On Wed, Oct 06, 2021 at 09:39:02PM +0200, Renaud Métrich wrote:
> This patch add a new "mismatch" option to --secontext which enables to 
> print the expected context extracted from SELinux database when it 
> differs from current context.
> This is very useful when troubleshooting SELinux issues.
> Also available as a PR: https://github.com/strace/strace/pull/197
> (and more details there).
> Note: the code coverage is complete on my system running Fedora, but not 
> on the CI because selabel_open()/selabel_lookup() isn't available in the 
> provided libselinux library (which is known to return invalid contexts 
> anyway).
> I'm hence attaching my code coverage results as well for secontext.c and 
> strace.c which are the 2 files modified.
> New options to --secontext=...
> - short: (default, print type only)

As suggested by Eugene, if it's type only, let's call it "type".

> - mismatch: print expected context on mismatch

"mismatch" is fine, but looks like "full" also includes "mismatch",
turning "full" into an all-encompassing --secontext option.

I'd like to make --secontext implementation use qualify_tokens() parser
like many other options of that kind including the latest --decode-pids.

Let's say that --secontext means --secontext=type, "full" includes "type"
so that --secontext=full engulfs --secontext=type, "mismatch" is not
included into "full" so one would have to use --secontext=full,mismatch.

As a side effect of using qualify_tokens(), there would be
--secontext=none disabling the whole thing, and --secontext=all enabling
all bits including all future bits.

Does this make sense?


More information about the Strace-devel mailing list