[PATCH] --secontext: Implement displaying of expected context upon mismatch
Renaud Métrich
rmetrich at redhat.com
Wed Dec 29 10:22:35 UTC 2021
On 12/29/21 10:47, Dmitry V. Levin wrote:
>> Unfortunately readlink() is not working here because readlink() doesn't
>> resolve fully but selabel_lookup() really requires knowing the path,
>> because it just checks in its database for the corresponding regex.
>>
>> Example:
>>
>> $ cd /tmp
>> $ ln -s /home/rmetrich symlinkdir
>> $ touch /home/rmetrich/bar
>> $ ln -s /tmp/symlinkdir/bar
>> $ matchpathcon $(readlink bar)
>> /tmp/symlinkdir/bar <<none>>
>>
>> ---> WRONG
>>
>> $ matchpathcon $(realpath bar)
>> /home/rmetrich/bar unconfined_u:object_r:user_home_t:s0
> When the function is called by selinux_getfdcon, the symlink in question
> is /proc/%u/fd/%u and it shouldn't need an extra canonicalization effort.
> Maybe in case of selinux_getfilecon you need this awful realpath, though.
OK, let's move realpath() to selinux_getfilecon() then and use
readlink() in selinux_getfdcon().
I'll submit the new patch soon.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20211229/8c1d0342/attachment.bin>
More information about the Strace-devel
mailing list