[PATCH] --secontext: Implement displaying of expected context upon mismatch
Dmitry V. Levin
ldv at altlinux.org
Mon Jan 3 15:19:52 UTC 2022
On Mon, Jan 03, 2022 at 03:32:17PM +0100, Renaud Métrich wrote:
> On 1/3/22 15:03, Dmitry V. Levin wrote:
> >> @@ -192,8 +192,8 @@ secontext_full_file(const char *filename, bool mismatch)
> >> char *context = raw_secontext_full_file(filename);
> >> if (mismatch) {
> >> char *expected =
> >> raw_expected_secontext_full_file(filename);
> >> - if (expected && strcmp(context, expected) != 0) {
> >> - char *context_mismatch = xasprintf("%s!!%s",
> >> context, expected);
> >> + if (expected && (!context || strcmp(context, expected))) {
> >> + char *context_mismatch = xasprintf("%s!!%s",
> >> context ? context : "", expected);
> > context == NULL means that getfilecon() has failed to obtain the context.
> > When this happens in strace, both selinux_getfdcon() and
> > selinux_getfilecon() return -1, that is, no context is printed at all.
>
> Well no, context == NULL never happens, but if it is happening anyway,
I've seen context == NULL in a system where selinux is not enabled.
> what just means the context of the file couldn't be retrieved (e.g.
> issue with extended attribute), but still
> raw_expected_secontext_full_file(), which reads from the database, can
> contain a context, so I think it should be considered as different.
When context == NULL, raw_expected_secontext_full_file() is likely to exit
with perror_msg_and_skip("selabel_open"), I've seen this behaviour in a
system where selinux is not enabled. However, when context == NULL but
raw_expected_secontext_full_file() != NULL, the test will fail.
--
ldv
More information about the Strace-devel
mailing list