[PATCH] --secontext: Implement displaying of expected context upon mismatch

Renaud Métrich rmetrich at redhat.com
Tue Dec 7 06:35:25 UTC 2021


Well anything can be chosen, there is no getfilecon/getpidcon 
functionality here: SELinux has no idea what is really expected, it's a 
comparison to its database (which isn't used by the kernel and the 
kernel is not aware of).

So I chose to display a "!!" for now:

"myfile" [foobar_t!!expected_context_t]

Renaud.

On 12/6/21 21:10, Dmitry V. Levin wrote:
> On Mon, Dec 06, 2021 at 08:46:09PM +0100, Renaud Métrich wrote:
>> On 12/6/21 15:44, Dmitry V. Levin wrote:
>>> Let's say that --secontext means --secontext=type, "full" includes "type"
>>> so that --secontext=full engulfs --secontext=type, "mismatch" is not
>>> included into "full" so one would have to use --secontext=full,mismatch.
>> That's already the case, full == the full context, but no mismatch check.
>>> As a side effect of using qualify_tokens(), there would be
>>> --secontext=none disabling the whole thing, and --secontext=all enabling
>>> all bits including all future bits.
>>>
>>> Does this make sense?
>>>
>> OK I get it.
>>
>> What about having the mismatched context be printed after a double
>> exclamation mark "!!".
>>
>> Are you ok with this?
> What are the symbols we're choosing from?
> Is there any symbols that cannot be returned by getfilecon/getpidcon?
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20211207/c3cedb63/attachment.bin>


More information about the Strace-devel mailing list