[PATCH] --secontext: Implement displaying of expected context upon mismatch
Renaud Métrich
rmetrich at redhat.com
Tue Dec 28 12:12:16 UTC 2021
On 12/28/21 13:07, Renaud Métrich wrote:
> Hi all,
>
> Please find attached the new version of the patch, implementing the
> option using qualify_token.
>
> --secontext[=format]
>
> also available as
>
> -e secontext=format
>
> format being "all", "none" or comma separated list of "full" and
> "mismatch" (can be negated as well).
>
> I'm also attaching the code coverage report (CI doesn't have SELinux
> properly enabled).
>
>
> Honestly I consider using qualify_token much more confusing that my
> initial implementation.
>
> Indeed, you then get weird behaviour:
>
> "--secontext=!full" == type only + mismatch mode
>
> "--secontext=full" == full contexts but no mismatch mode
>
> "--secontext=!mismatch" == full contexts but no mismatch mode
>
>
> Renaud.
>
> On 12/11/21 22:59, Dmitry V. Levin wrote:
>> On Fri, Dec 10, 2021 at 02:06:36PM +0100, Renaud Métrich wrote:
>>> I have some questions regarding using qualify_tokens() for --secontext.
>>>
>>> We have --secontext enabled as soon as "type" is present, and using
>>> "mismatch" only implies "type" as well.
>>>
>>> In a nutshell "type" is always there, unless "--secontext=none" is
>>> specified.
>>>
>>> But what would something like below mean?
>>>
>>> --secontext=!type
>>>
>>> --secontext=!full,mismatch
>> I agree, --secontext=!type would result to --secontext=full,mismatch
>> which is very confusing.
>> --secontext=!full,mismatch would result to --secontext=type which is
>> less confusing.
>>
>> You could try the following trick: do not add --secontext=type syntax
>> at all, but implement current --secontext syntax as something like
>> add_number_to_set(SECONTEXT_TYPE, secontext_set)
>> - this way you won't allow the most confusing --secontext=!type syntax.
>>
>>> Finally should I also implement the qualifiers as "-e expr" argument as
>>> well?
>> I wouldn't bother.
>>
>>> Or should I implement --secontext as a no-arg option and rest as
>>> qualifiers, as shown below:
>>>
>>> --secontext -e secontext=full,mismatch
>> We already support --secontext=full, so no, this ship has already
>> sailed.
>>
>>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Implement-displaying-of-expected-context-upon-mismat.patch
Type: text/x-patch
Size: 37269 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20211228/3729dec3/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20211228/3729dec3/attachment-0001.bin>
More information about the Strace-devel
mailing list