[PATCH] --secontext: Implement displaying of expected context upon mismatch
Renaud Métrich
rmetrich at redhat.com
Fri Dec 10 08:51:24 UTC 2021
OK I will rework the PR and come back with a new patch. But with
christmas this may take some time.
On 12/6/21 15:44, Dmitry V. Levin wrote:
> Hi,
>
> On Wed, Oct 06, 2021 at 09:39:02PM +0200, Renaud Métrich wrote:
>> This patch add a new "mismatch" option to --secontext which enables to
>> print the expected context extracted from SELinux database when it
>> differs from current context.
>>
>> This is very useful when troubleshooting SELinux issues.
>>
>> Also available as a PR: https://github.com/strace/strace/pull/197
>>
>> (and more details there).
>>
>> Note: the code coverage is complete on my system running Fedora, but not
>> on the CI because selabel_open()/selabel_lookup() isn't available in the
>> provided libselinux library (which is known to return invalid contexts
>> anyway).
>>
>> I'm hence attaching my code coverage results as well for secontext.c and
>> strace.c which are the 2 files modified.
> [...]
>> New options to --secontext=...
>> - short: (default, print type only)
> As suggested by Eugene, if it's type only, let's call it "type".
>
>> - mismatch: print expected context on mismatch
> "mismatch" is fine, but looks like "full" also includes "mismatch",
> turning "full" into an all-encompassing --secontext option.
>
> I'd like to make --secontext implementation use qualify_tokens() parser
> like many other options of that kind including the latest --decode-pids.
>
> Let's say that --secontext means --secontext=type, "full" includes "type"
> so that --secontext=full engulfs --secontext=type, "mismatch" is not
> included into "full" so one would have to use --secontext=full,mismatch.
>
> As a side effect of using qualify_tokens(), there would be
> --secontext=none disabling the whole thing, and --secontext=all enabling
> all bits including all future bits.
>
> Does this make sense?
>
>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20211210/0d35cac1/attachment.bin>
More information about the Strace-devel
mailing list