From mboxrd@z Thu Jan  1 00:00:00 1970
Authentication-Results: passt.top; dmarc=fail (p=quarantine dis=none) header.from=maxchernoff.ca
Received: from out-170.mta1.migadu.com (out-170.mta1.migadu.com [95.215.58.170])
	by passt.top (Postfix) with ESMTPS id B06DA5A0619
	for <passt-dev@passt.top>; Thu, 16 Oct 2025 12:56:27 +0200 (CEST)
Message-ID: <a450f3806fab8042e87a7f47574969b7b3a0db69.camel@maxchernoff.ca>
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=maxchernoff.ca;
	s=key1; t=1760612186;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding:
	 in-reply-to:in-reply-to:references:references;
	bh=P/f1fvkMlfm00u9NdFLNuq0wHzxZNMJFt3haHOe4nZY=;
	b=pR+3RMpdt2qnd8Wwx/OGiOgXVxJyETOf5QF4nMSyeptfV/OeIw8re2HfFDypya5ow9o6WB
	cbfusqO+nrHHZf0hNBLP0pS1sGkCD9f7K0CwZsTOG3qxWcsb1OcBMpD2JVpkka7m3+Sctg
	UoiSN9lsV1Sbi10BcYFh5VvcidZ7Lc+KtPDsEByfY4OOYE7e8kbusDK1HLMeAP+kkejhes
	zwJwUHEhPmkOpqq+8xZDwXrhj8o0eqRhHvOIYKcUFThXJ/Ceq/pjVCZPWR8y2mXYRgAQhk
	Skq1XCYH1M5+jSqBKEaVaA9aduXkkyv9Er2htYsTtMae7MmpfPCgbCK5wOyMvw==
Subject: Re: [PATCH] contrib/selinux: use regex instead of non-standard bash
 macro
X-Report-Abuse: Please report any abuse attempt to abuse@migadu.com and include these headers.
From: Max Chernoff <git@maxchernoff.ca>
To: Stefano Brivio <sbrivio@redhat.com>, Danish Prakash
 <contact@danishpraka.sh>
Date: Thu, 16 Oct 2025 04:56:20 -0600
In-Reply-To: <20251016102134.5e2edf04@elisabeth>
References: <20251016074045.562352-1-contact@danishpraka.sh>
	 <20251016102134.5e2edf04@elisabeth>
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable
MIME-Version: 1.0
X-Migadu-Flow: FLOW_OUT
X-MailFrom: git@maxchernoff.ca
X-Mailman-Rule-Hits: nonmember-moderation
X-Mailman-Rule-Misses: dmarc-mitigation; no-senders; approved; emergency; loop; banned-address; member-moderation
Message-ID-Hash: DYS3O62XTWGJSQNA4HD3YYJIPUA3HEGA
X-Message-ID-Hash: DYS3O62XTWGJSQNA4HD3YYJIPUA3HEGA
X-Mailman-Approved-At: Thu, 16 Oct 2025 13:00:37 +0200
CC: passt-dev@passt.top, Paul Holzinger <pholzing@redhat.com>
X-Mailman-Version: 3.3.8
Precedence: list
List-Id: Development discussion and patches for passt <passt-dev.passt.top>
Archived-At: <https://archives.passt.top/passt-dev/a450f3806fab8042e87a7f47574969b7b3a0db69.camel@maxchernoff.ca/>
Archived-At: <https://passt.top/hyperkitty/list/passt-dev@passt.top/message/DYS3O62XTWGJSQNA4HD3YYJIPUA3HEGA/>
List-Archive: <https://archives.passt.top/passt-dev/>
List-Archive: <https://passt.top/hyperkitty/list/passt-dev@passt.top/>
List-Help: <mailto:passt-dev-request@passt.top?subject=help>
List-Owner: <mailto:passt-dev-owner@passt.top>
List-Post: <mailto:passt-dev@passt.top>
List-Subscribe: <mailto:passt-dev-join@passt.top>
List-Unsubscribe: <mailto:passt-dev-leave@passt.top>

Hi Stefano,

On Thu, 2025-10-16 at 10:21 +0200, Stefano Brivio wrote:
> On Thu, 16 Oct 2025 13:10:41 +0530
> Danish Prakash <contact@danishpraka.sh> wrote:
> > It might be possible to avoid using non-standard bash macro (%USERID),

It's not a Bash macro, it's a SELinux template. This doesn't seem to be
documented anywhere (which isn't terribly surprising with SELinux), but
it's defined in this file:

    https://github.com/SELinuxProject/selinux/blob/ceb5b221/libsemanage/src=
/genhomedircon.c

> I wonder if
> Max remembers any reason why we couldn't do this in the first place.

The Fedora SELinux policy always uses %{USERID}, and so I copied it from
there:

    $ grep -RnF '%{USERID}' policy/
    policy/modules/contrib/dbus.fc:29:/run/user/%{USERID}/bus	-s	gen_contex=
t(system_u:object_r:session_dbusd_tmp_t,s0)
    policy/modules/contrib/dbus.fc:30:/run/user/%{USERID}/dbus(/.*)? 	gen_c=
ontext(system_u:object_r:session_dbusd_tmp_t,s0)
    policy/modules/contrib/dbus.fc:31:/run/user/%{USERID}/dbus-1(/.*)? 	gen=
_context(system_u:object_r:session_dbusd_tmp_t,s0)
    policy/modules/contrib/gnome.fc:25:/run/user/%{USERID}/\.orc(/.*)?		gen=
_context(system_u:object_r:gstreamer_home_t,s0)
    policy/modules/contrib/gnome.fc:26:/run/user/%{USERID}/dconf(/.*)?	gen_=
context(system_u:object_r:config_home_t,s0)
    policy/modules/contrib/gnome.fc:27:/run/user/%{USERID}/keyring.*	gen_co=
ntext(system_u:object_r:gkeyringd_tmp_t,s0)
    policy/modules/kernel/filesystem.fc:17:/run/user/%{USERID}/gvfs		-d	gen=
_context(system_u:object_r:fusefs_t,s0)
    policy/modules/kernel/filesystem.fc:18:/run/user/%{USERID}/gvfs/.*	<<no=
ne>>
    policy/modules/system/userdomain.fc:38:/run/user/%{USERID}	-d	gen_conte=
xt(system_u:object_r:user_tmp_t,s0)
    policy/modules/system/userdomain.fc:39:/run/user/%{USERID}/.+	<<none>>

    $ grep -RnF '[0-9]+' policy/  | grep -v /dev/
    policy/modules/contrib/rpm.fc:52:/usr/bin/rhn_check-[0-9]+\.[0-9]+		--	=
gen_context(system_u:object_r:rpm_exec_t,s0)
    policy/modules/contrib/soundserver.fc:12:/run/yiff-[0-9]+\.pid	--	gen_c=
ontext(system_u:object_r:soundd_var_run_t,s0)
    policy/modules/kernel/devices.if:6958:##	Allow read the hfi1_[0-9]+ dev=
ices

> > diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec
> > index 663289f53d97..d1bcf4a74338 100644
> > --- a/contrib/fedora/passt.spec
> > +++ b/contrib/fedora/passt.spec
> > [...]
>
> At a glance, this looks like a better solution regardless of the
> reported issue. It sounds too good to be true, though

I agree that it looks like a good solution, which makes me wonder why
the base SELinux policies don't do it that way. The containers SELinux
policy appears to do things this way

    $ grep -RnF '[0-9]+'
    container_selinux.8:166:	/run/user/[0-9]+/gvfs
    $ grep -RnF '%{USERID}'; echo $?
    1

so it's probably (?) okay though.

Thanks,
-- Max