[PATCH] --secontext: Implement displaying of expected context upon mismatch
Dmitry V. Levin
ldv at altlinux.org
Sat Dec 11 21:59:29 UTC 2021
On Fri, Dec 10, 2021 at 02:06:36PM +0100, Renaud Métrich wrote:
> I have some questions regarding using qualify_tokens() for --secontext.
>
> We have --secontext enabled as soon as "type" is present, and using
> "mismatch" only implies "type" as well.
>
> In a nutshell "type" is always there, unless "--secontext=none" is
> specified.
>
> But what would something like below mean?
>
> --secontext=!type
>
> --secontext=!full,mismatch
I agree, --secontext=!type would result to --secontext=full,mismatch
which is very confusing.
--secontext=!full,mismatch would result to --secontext=type which is
less confusing.
You could try the following trick: do not add --secontext=type syntax
at all, but implement current --secontext syntax as something like
add_number_to_set(SECONTEXT_TYPE, secontext_set)
- this way you won't allow the most confusing --secontext=!type syntax.
> Finally should I also implement the qualifiers as "-e expr" argument as
> well?
I wouldn't bother.
> Or should I implement --secontext as a no-arg option and rest as
> qualifiers, as shown below:
>
> --secontext -e secontext=full,mismatch
We already support --secontext=full, so no, this ship has already sailed.
--
ldv
More information about the Strace-devel
mailing list