[PATCH] --secontext: Implement displaying of expected context upon mismatch

Renaud Métrich rmetrich at redhat.com
Wed Dec 29 13:33:06 UTC 2021


Attached is the updated patch with all comments.

Also attaching code coverage.

On 12/29/21 11:22, Renaud Métrich wrote:
>
> On 12/29/21 10:47, Dmitry V. Levin wrote:
>>> Unfortunately readlink() is not working here because readlink() doesn't
>>> resolve fully but selabel_lookup() really requires knowing the path,
>>> because it just checks in its database for the corresponding regex.
>>>
>>> Example:
>>>
>>> $ cd /tmp
>>> $ ln -s /home/rmetrich symlinkdir
>>> $ touch /home/rmetrich/bar
>>> $ ln -s /tmp/symlinkdir/bar
>>> $ matchpathcon $(readlink bar)
>>> /tmp/symlinkdir/bar    <<none>>
>>>
>>> ---> WRONG
>>>
>>> $ matchpathcon $(realpath bar)
>>> /home/rmetrich/bar    unconfined_u:object_r:user_home_t:s0
>> When the function is called by selinux_getfdcon, the symlink in question
>> is /proc/%u/fd/%u and it shouldn't need an extra canonicalization 
>> effort.
>> Maybe in case of selinux_getfilecon you need this awful realpath, 
>> though.
>
> OK, let's move realpath() to selinux_getfilecon() then and use 
> readlink() in selinux_getfdcon().
>
> I'll submit the new patch soon.
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20211229/95010e74/attachment.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20211229/95010e74/attachment-0001.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20211229/95010e74/attachment-0002.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20211229/95010e74/attachment-0003.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20211229/95010e74/attachment-0004.html>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20211229/95010e74/attachment-0005.html>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: 0001-Implement-displaying-of-expected-context-upon-mismat.patch
Type: text/x-patch
Size: 37254 bytes
Desc: not available
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20211229/95010e74/attachment.bin>
-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20211229/95010e74/attachment-0001.bin>


More information about the Strace-devel mailing list