Re: [PATCH] contrib/selinux: use regex instead of non-standard bash macro

public inbox for passt-dev@passt.top
 help / color / mirror / code / Atom feed

From: Stefano Brivio <sbrivio@redhat.com>
To: Danish Prakash <contact@danishpraka.sh>
Cc: Max Chernoff <git@maxchernoff.ca>,
	passt-dev@passt.top, Paul Holzinger <pholzing@redhat.com>
Subject: Re: [PATCH] contrib/selinux: use regex instead of non-standard bash macro
Date: Wed, 29 Oct 2025 00:17:04 +0100	[thread overview]
Message-ID: <20251029001704.43f73a42@elisabeth> (raw)
In-Reply-To: <cfb5f0d3-973a-4937-9856-42a69b0fdffd@danishpraka.sh>

On Tue, 28 Oct 2025 11:58:18 +0530
Danish Prakash <contact@danishpraka.sh> wrote:

> On 10/27/25 2:37 PM, Stefano Brivio wrote:
> > Hi Danish,
> > 
> > On Mon, 27 Oct 2025 14:19:14 +0530
> > Danish Prakash <contact@danishpraka.sh> wrote:
> >   
> >> On 10/16/25 4:26 PM, Max Chernoff wrote:  
> >>> Hi Stefano,
> >>>
> >>> On Thu, 2025-10-16 at 10:21 +0200, Stefano Brivio wrote:    
> >>>> On Thu, 16 Oct 2025 13:10:41 +0530
> >>>> Danish Prakash <contact@danishpraka.sh> wrote:    
> >>>>> It might be possible to avoid using non-standard bash macro (%USERID),    
> >>>
> >>> It's not a Bash macro, it's a SELinux template. This doesn't seem to be
> >>> documented anywhere (which isn't terribly surprising with SELinux), but
> >>> it's defined in this file:
> >>>
> >>>     https://github.com/SELinuxProject/selinux/blob/ceb5b221/libsemanage/src/genhomedircon.c    
> >>
> >> Thanks Max, I wasn't aware of it being an SELinux template.
> >>  
> >>>     
> >>>> I wonder if
> >>>> Max remembers any reason why we couldn't do this in the first place.    
> >>>
> >>> The Fedora SELinux policy always uses %{USERID}, and so I copied it from
> >>> there:
> >>>
> >>>     $ grep -RnF '%{USERID}' policy/
> >>>     policy/modules/contrib/dbus.fc:29:/run/user/%{USERID}/bus	-s	gen_context(system_u:object_r:session_dbusd_tmp_t,s0)
> >>>     policy/modules/contrib/dbus.fc:30:/run/user/%{USERID}/dbus(/.*)? 	gen_context(system_u:object_r:session_dbusd_tmp_t,s0)
> >>>     policy/modules/contrib/dbus.fc:31:/run/user/%{USERID}/dbus-1(/.*)? 	gen_context(system_u:object_r:session_dbusd_tmp_t,s0)
> >>>     policy/modules/contrib/gnome.fc:25:/run/user/%{USERID}/\.orc(/.*)?		gen_context(system_u:object_r:gstreamer_home_t,s0)
> >>>     policy/modules/contrib/gnome.fc:26:/run/user/%{USERID}/dconf(/.*)?	gen_context(system_u:object_r:config_home_t,s0)
> >>>     policy/modules/contrib/gnome.fc:27:/run/user/%{USERID}/keyring.*	gen_context(system_u:object_r:gkeyringd_tmp_t,s0)
> >>>     policy/modules/kernel/filesystem.fc:17:/run/user/%{USERID}/gvfs		-d	gen_context(system_u:object_r:fusefs_t,s0)
> >>>     policy/modules/kernel/filesystem.fc:18:/run/user/%{USERID}/gvfs/.*	<<none>>
> >>>     policy/modules/system/userdomain.fc:38:/run/user/%{USERID}	-d	gen_context(system_u:object_r:user_tmp_t,s0)
> >>>     policy/modules/system/userdomain.fc:39:/run/user/%{USERID}/.+	<<none>>
> >>>
> >>>     $ grep -RnF '[0-9]+' policy/  | grep -v /dev/
> >>>     policy/modules/contrib/rpm.fc:52:/usr/bin/rhn_check-[0-9]+\.[0-9]+		--	gen_context(system_u:object_r:rpm_exec_t,s0)
> >>>     policy/modules/contrib/soundserver.fc:12:/run/yiff-[0-9]+\.pid	--	gen_context(system_u:object_r:soundd_var_run_t,s0)
> >>>     policy/modules/kernel/devices.if:6958:##	Allow read the hfi1_[0-9]+ devices
> >>>     
> >>>>> diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec
> >>>>> index 663289f53d97..d1bcf4a74338 100644
> >>>>> --- a/contrib/fedora/passt.spec
> >>>>> +++ b/contrib/fedora/passt.spec
> >>>>> [...]    
> >>>>
> >>>> At a glance, this looks like a better solution regardless of the
> >>>> reported issue. It sounds too good to be true, though    
> >>>
> >>> I agree that it looks like a good solution, which makes me wonder why
> >>> the base SELinux policies don't do it that way. The containers SELinux
> >>> policy appears to do things this way
> >>>
> >>>     $ grep -RnF '[0-9]+'
> >>>     container_selinux.8:166:	/run/user/[0-9]+/gvfs
> >>>     $ grep -RnF '%{USERID}'; echo $?
> >>>     1
> >>>
> >>> so it's probably (?) okay though.    
> >>
> >> That's helpful, I guess we can go ahead with this. Stefano, Paul?  
> > 
> > Sure. But back to my question about the original problem... what was
> > the original problem? :) Could it be something similar to:
> > 
> >   https://bugzilla.redhat.com/show_bug.cgi?id=2401764
> > 
> > ?  
> 
> Ah, sorry about that. No, it's not a functionality issue or a bug. It
> was merely a few suggestions to improve the passt SUSE package from the
> SELinux team at SUSE. Here are the suggestions:

Thanks for sharing those.

> 1. building twice is quite a hack, setting a hardlink as in apparmor
> would probably work as well and is less confusing

Details as to why it doesn't work:

  https://passt.top/passt/commit/?id=a405d0c026582375448fe87c6e440eb0fd428dd7

> 2.  running restorecon would be unnecessary if the passt upstream
> selinux module would not use ${USERID} in pasta.fc (gets converted to
> [0-9]+ anyway)

Would you be so kind as to re-post this patch (Cc'ing Max and Paul) with
a commit message reflecting this, and without private links?

> 3. there is a %selinux_requires macro in selinux-policy-devel that
> likely could be used instead of listing the Requires:, but okay we dont
> enforce that atm
> 
> For #1 I can see that building twice is required in this case, and
> unlike apparmor which can work with hardlinks, doing the same for
> SELinux isn't possible with inodes in the picture.

Right, yeah, it's because labels are stored in extended attributes, and
those belong to inodes, not paths.

> #2 is what this patch is about, and #3 is SUSE-exclusive which I'm
> fixing in parallel.

If I recall correctly, that part of openSUSE spec file is roughly taken
from:

  https://passt.top/passt/tree/contrib/fedora/passt.spec

and I build openSUSE packages in my Copr repository too
(https://copr.fedorainfracloud.org/coprs/sbrivio/passt/), based on the
Fedora spec file.

I'm not sure if it's useful for many people (one can try out an
upstream release right away like that) but it's almost zero effort on
my side. In any case, if the change also applies to Fedora or openSUSE
packages from Copr I guess it would be nice to have a patch for that as
well.

> > In general, there are a bunch of current SELinux issues reported on
> > Fedora/RHEL (and I assume they would be exactly the same on
> > openSUSE/SLES):
> > 
> >   https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&columnlist=short_desc%2Cchangeddate%2Cbug_severity&component=passt&product=Fedora
> > 
> > and I'm trying to find out if this change might fix some of them. Most
> > of those are stuff I didn't investigate yet.
> >   
> 
> Unfortunately no, I was notified of a few spec related errors from
> colleagues, but I'm sure the errors would overlap, as you said. If
> there's something I can help, please let me know, I'll be happy to
> contribute.

Thanks. I still need to find a moment to go through all of them with a
bit more time and I'll let you know, in case.

Well, of course, if you want to have a look meanwhile, that might help.
You would need an account at bugzilla.redhat.com to comment but, well, I
have an account on bugzilla.suse.com, so... :)

-- 
Stefano

next prev parent reply	other threads:[~2025-10-28 23:17 UTC|newest]

Thread overview: 19+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2025-10-16  7:40 Danish Prakash
2025-10-16  8:21 ` Stefano Brivio
2025-10-16 10:56   ` Max Chernoff
2025-10-27  8:49     ` Danish Prakash
2025-10-27  9:07       ` Stefano Brivio
2025-10-27  9:41         ` Max Chernoff
2025-10-28  6:28         ` Danish Prakash
2025-10-28 23:17           ` Stefano Brivio [this message]
2025-10-30  8:20             ` [PATCH v2] contrib/selinux: use regex instead of SELinux template Danish Prakash
2025-10-30  8:37             ` [PATCH] contrib/selinux: use regex instead of non-standard bash macro Danish Prakash
2025-10-30  8:43               ` Stefano Brivio
2025-10-30 10:06                 ` Stefano Brivio
2025-10-30 10:50                   ` Danish Prakash
2025-10-30 10:49             ` [PATCH v2] contrib/selinux: use regex instead of SELinux template Danish Prakash
2025-11-04  6:48               ` Max Chernoff
2025-11-04 21:13               ` Stefano Brivio
2025-11-05 10:28                 ` Max Chernoff
2025-11-05 15:31                   ` Stefano Brivio
2025-11-06 12:09                     ` Max Chernoff

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=20251029001704.43f73a42@elisabeth \
    --to=sbrivio@redhat.com \
    --cc=contact@danishpraka.sh \
    --cc=git@maxchernoff.ca \
    --cc=passt-dev@passt.top \
    --cc=pholzing@redhat.com \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

Code repositories for project(s) associated with this public inbox

	https://passt.top/passt

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for IMAP folder(s).