-
Notifications
You must be signed in to change notification settings - Fork 60
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Record and restore SELinux context for mocked /dev nodes #222
Conversation
@ikerexxe : Do you mind having a quick look? Not necessarily on the implementation details (although any review there is much appreciated), but wheter this suits your use case? You can test the packit COPR rpms even if you want. Thanks! |
Meh, COPR builders have devices with a wholly different SELinux context, their /dev/null is unconfined_u:object_r:user_tmp_t:s0 -- likely an unpacked chroot tarball with static files? |
That's better. I'll deal with this nixos failure tomorrow, but @ikerexxe you probably care most about Fedora or C9S? |
Yes, Fedora or C9S is good for me. Unfortunately, I don't have any FIDO2 keys with me right now so I won't be able to test it until Monday 🤦 |
@ikerexxe : No worries. I'll sort out the nixos failure today in the meantime. BTW, @allisonkarlitskaya is very interested in mocking a FIDO2 key for testing -- is any of your test code public by any chance? |
This comment was marked as resolved.
This comment was marked as resolved.
If libselinux is available, record the original node SELinux context into an internal `__DEVCONTEXT` property, and restore it in `umockdev-run`. This property can also be set via the API. Fixes #220
I don't think it's working as expected, but I might be doing something wrong. If I run the command before applying these changes I get the following selinux labels for the recordings: ls -lZ
-rw-r--r--. 1 ipedrosa ipedrosa unconfined_u:object_r:user_home_t:s0 8262 dic 18 09:36 yk.ioctl
-rw-r--r--. 1 ipedrosa ipedrosa unconfined_u:object_r:user_home_t:s0 4081 dic 18 09:36 yk.script
-rw-r--r--. 1 ipedrosa ipedrosa unconfined_u:object_r:user_home_t:s0 10936 dic 18 09:36 yk.umockdev As a reference, the device has the following labels: ls -lZ /dev/hidraw8
crw-rw----+ 1 root root system_u:object_r:usb_device_t:s0 241, 8 dic 18 09:25 /dev/hidraw8 So, if I update the umockdev package and record the communication I'd expect to see ls -lZ
-rw-r--r--. 1 ipedrosa ipedrosa unconfined_u:object_r:user_home_t:s0 8262 dic 18 09:38 selinux.ioctl
-rw-r--r--. 1 ipedrosa ipedrosa unconfined_u:object_r:user_home_t:s0 4336 dic 18 09:38 selinux.script
-rw-r--r--. 1 ipedrosa ipedrosa unconfined_u:object_r:user_home_t:s0 11087 dic 18 09:38 selinux.umockdev Do I need to set any additional option in the CLI? It's not clear to me. By the way, I'm testing it using Fedora 39. |
I'm not sure why you refer to the SELinux contexts of the recordings files. That is entirely a functionality between the shell and how you handle the files. They will be in git etc, which doesn't preserve SELinux context anyway. It also shouldn't matter. The point of this PR, and the subject of your bug report was the SELinux context of the emulated /dev/* nodes. To validate, I checked that the build log correctly builds with SELinux support:
I installed the rpms as described. With
Does that work for you? I.e. do you get |
I shouldn't have done the testing on the Monday morning. Forget that comment.
Yes, that's working fine. If I run it for |
@ikerexxe 🤣 We are all ready for some EOY holidays 😁 Thanks for testing! |
Only two days and a half of work and I won't work again until next year 😄
Let's finish #221 first. I don't think it makes any sense for us, as we need the two functionalities. |
If libselinux is available, record the original node SELinux context into an internal
__DEVCONTEXT
property, and restore it inumockdev-run
. This property can also be set via the API.Fixes #220