Bug 2038810
Summary: | RFE: backport of --secontext=mismatch functionality | |||
---|---|---|---|---|
Product: | Red Hat Enterprise Linux 8 | Reporter: | Renaud Métrich <rmetrich> | |
Component: | strace | Assignee: | Eugene Syromiatnikov <esyr> | |
strace sub component: | system-version | QA Contact: | Jesus Checa <jchecahi> | |
Status: | CLOSED ERRATA | Docs Contact: | ||
Severity: | medium | |||
Priority: | medium | CC: | emachado, jchecahi, ohudlick | |
Version: | 8.5 | Keywords: | FutureFeature, Triaged | |
Target Milestone: | rc | |||
Target Release: | --- | |||
Hardware: | All | |||
OS: | Linux | |||
Whiteboard: | ||||
Fixed In Version: | strace-5.13-3.el8 | Doc Type: | Enhancement | |
Doc Text: |
.The `strace` utility can now display mismatches between the actual SELinux contexts and the definitions extracted from the SELinux context database
An existing `--secontext` option of `strace` has been extended with the `mismatch` parameter. This parameter enables to print the expected context along with the actual one upon mismatch only. The output is separated by double exclamation marks (`!!`), first the actual context, then the expected one. In the examples below, the `full,mismatch` parameters print the expected full context along with the actual one because the user part of the contexts mismatches. However, when using a solitary `mismatch`, it only checks the type part of the context. The expected context is not printed because the type part of the contexts matches.
----
[...]
$ strace --secontext=full,mismatch -e statx stat /home/user/file
statx(AT_FDCWD, "/home/user/file" [system_u:object_r:user_home_t:s0!!unconfined_u:object_r:user_home_t:s0], ...
$ strace --secontext=mismatch -e statx stat /home/user/file
statx(AT_FDCWD, "/home/user/file" [user_home_t:s0], ...
----
SELinux context mismatches often cause access control issues associated with SELinux. The mismatches printed in the system call traces can significantly expedite the checks of SELinux context correctness. The system call traces can also explain specific kernel behavior with respect to access control checks.
|
Story Points: | --- | |
Clone Of: | ||||
: | 2038965 2038991 2038992 (view as bug list) | Environment: | ||
Last Closed: | 2022-05-10 15:20:52 UTC | Type: | Bug | |
Regression: | --- | Mount Type: | --- | |
Documentation: | --- | CRM: | ||
Verified Versions: | Category: | --- | ||
oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | ||
Cloudforms Team: | --- | Target Upstream Version: | ||
Embargoed: |
Description
Renaud Métrich
2022-01-10 07:44:25 UTC
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (strace bug fix and enhancement update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHEA-2022:2026 |