Proposing SELinux support in strace

Renaud Métrich rmetrich at redhat.com
Thu Mar 18 15:55:13 UTC 2021 

Hello, I've just realized that the limitation on the mount namespace is 
a real blocker in real world:

it appears that on systemd systems, all systemd services making use of 
PrivateTmp get their own namespace (due to having their own /var/tmp), 
which prevents the --secontext option from working for all files.

I just experienced this with a customer strace ...

I would hence like to add a new option (similar to "full", e.g. 
"nocheck") that would ignore the mount namespace check and resolve paths 
in the strace mount namespace.

This will potentially return invalid context information, but is 
definitely better than returning nothing at all.

This will at least enable to strace normal services just having 
PrivateTmp set: most paths, except stuff in /var/tmp will be correct.

Would you agree with this or would you prefer a new PR to come with this?

Sorry for the late heads up...

Renaud.

On 3/18/21 12:31 PM, Renaud Métrich wrote:
> See line. Updated patch attached.
>
> On 3/18/21 3:49 AM, Dmitry V. Levin wrote:
>> diff --git a/doc/strace.1.in b/doc/strace.1.in
>>> index 05c32d902..e310e0877 100644
>>> --- a/doc/strace.1.in
>>> +++ b/doc/strace.1.in
>>> @@ -53,6 +53,7 @@ strace \- trace system calls and signals
>>>   .OM \-P path
>>>   .OM \-p pid
>>>   .OP \-\-seccomp\-bpf
>>> +.if '@USE_SELINUX_FALSE@'#' .OP \-\-secontext[=full]
>> [=full] should not be bold, consider changing the line to
>> .if '@USE_SELINUX_FALSE@'#' .OP \-\-secontext\fR[=\fIfull\fR]
>
> Actually "full" is a keyword here and not a variable, hence I think 
> it's better to have it not underlined at all.
>
> [<BOLD>--secontext</BOLD>[=full]]
>
>>
>> I think this should go to the end of "Output format:" section rather
>> "Miscellaneous:".
> OK, moved the option in the man page also.
>>> @@ -46,6 +48,7 @@ check_e '-t and --absolute-timestamps cannot be 
>>> provided simultaneously' -t --ti
>>>   check_e '-t and --absolute-timestamps cannot be provided 
>>> simultaneously' --absolute-timestamps -ttt -p $$
>>>   check_e '-t and --absolute-timestamps cannot be provided 
>>> simultaneously' -t --timestamps=ns -t -p $$
>>>   check_e '-t and --absolute-timestamps cannot be provided 
>>> simultaneously' --timestamps=ns -t --absolute-timestamps=unix -p $$
>>> +[ -n "$compiled_with_secontext" ] && check_h "invalid --secontext 
>>> argument: 'ss'" --secontext=ss
>> We prefer writing it this way:
>>
>> [ -z "$compiled_with_secontext" ] ||
>>     check_h "invalid --secontext argument: 'ss'" --secontext=ss
> OK, that's what I had written intially, then thought some people don't 
> like that.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: OpenPGP_signature
Type: application/pgp-signature
Size: 840 bytes
Desc: OpenPGP digital signature
URL: <http://lists.strace.io/pipermail/strace-devel/attachments/20210318/c9c27b0a/attachment.bin>

More information about the Strace-devel mailing list