From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: X-Spam-Checker-Version: SpamAssassin 3.4.0 (2014-02-07) on aws-us-west-2-korg-lkml-1.web.codeaurora.org X-Spam-Level: X-Spam-Status: No, score=-1.1 required=3.0 tests=DKIM_SIGNED,DKIM_VALID, DKIM_VALID_AU,HEADER_FROM_DIFFERENT_DOMAINS,MAILING_LIST_MULTI,SPF_PASS autolearn=ham autolearn_force=no version=3.4.0 Received: from mail.kernel.org (mail.kernel.org [198.145.29.99]) by smtp.lore.kernel.org (Postfix) with ESMTP id 6BB13C4360F for ; Mon, 25 Feb 2019 00:19:03 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by mail.kernel.org (Postfix) with ESMTP id 1BA97213A2 for ; Mon, 25 Feb 2019 00:19:03 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=daisee.com header.i=@daisee.com header.b="Qgvk36vb" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726412AbfBYATC (ORCPT ); Sun, 24 Feb 2019 19:19:02 -0500 Received: from mail-eopbgr1370100.outbound.protection.outlook.com ([40.107.137.100]:4640 "EHLO AUS01-SY3-obe.outbound.protection.outlook.com" rhost-flags-OK-OK-OK-FAIL) by vger.kernel.org with ESMTP id S1726350AbfBYATC (ORCPT ); Sun, 24 Feb 2019 19:19:02 -0500 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=daisee.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=WFjK4HtyiVkw2tE+Az9FqC5SaFXoIXBaW7n8XzoQIH4=; b=Qgvk36vbrd9todLpqxymRV+4Lpl2FefTy4V1/MyJacINC7dstZo4DZAeO8N0X/JUmLfAg5f2ze5zy15VuGPN6t8HnvTP2ClSi3LJqBzKt27X90SVJL/KVn13+ayoPTwva4k23AObbhlM2Bm9msb5eBegKSNGksXf7cfJUdLXf64= Received: from MEXPR01MB1384.ausprd01.prod.outlook.com (10.171.18.23) by MEXPR01MB0854.ausprd01.prod.outlook.com (10.169.161.136) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.1643.16; Mon, 25 Feb 2019 00:18:56 +0000 Received: from MEXPR01MB1384.ausprd01.prod.outlook.com ([fe80::d8b6:3d9a:a703:801c]) by MEXPR01MB1384.ausprd01.prod.outlook.com ([fe80::d8b6:3d9a:a703:801c%12]) with mapi id 15.20.1643.019; Mon, 25 Feb 2019 00:18:56 +0000 From: Russell Coker To: Nicolas Iooss CC: "selinux@vger.kernel.org" Subject: Re: wildcards in file_contexts.subs for NixOS Thread-Topic: wildcards in file_contexts.subs for NixOS Thread-Index: AQHUyma7MlXQD4CD0EKY39qW30a4g6XvjfwAgAAcmYA= Date: Mon, 25 Feb 2019 00:18:56 +0000 Message-ID: <2478884.YWGnduq3BQ@neuromancer> References: <7853167.K65cXu0y11@neuromancer> In-Reply-To: Accept-Language: en-GB, en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: x-clientproxiedby: MEXPR01CA0080.ausprd01.prod.outlook.com (2603:10c6:200:2d::13) To MEXPR01MB1384.ausprd01.prod.outlook.com (2603:10c6:200:34::23) authentication-results: spf=none (sender IP is ) smtp.mailfrom=russell.coker@daisee.com; x-ms-exchange-messagesentrepresentingtype: 1 x-originating-ip: [103.232.216.146] x-ms-publictraffictype: Email x-ms-office365-filtering-correlation-id: 342d8d23-1dec-4c41-74e1-08d69ab6d4c2 x-microsoft-antispam: BCL:0;PCL:0;RULEID:(2390118)(7020095)(4652040)(7021145)(8989299)(5600110)(711020)(4605104)(4534185)(7022145)(4603075)(4627221)(201702281549075)(8990200)(7048125)(7024125)(7027125)(7023125)(2017052603328)(7153060)(7193020);SRVR:MEXPR01MB0854; x-ms-traffictypediagnostic: MEXPR01MB0854: x-microsoft-antispam-prvs: x-forefront-prvs: 095972DF2F x-forefront-antispam-report: SFV:NSPM;SFS:(10019020)(7916004)(136003)(346002)(39830400003)(396003)(376002)(366004)(189003)(199004)(6116002)(66066001)(6916009)(2906002)(53936002)(86362001)(316002)(6246003)(3846002)(97736004)(68736007)(486006)(44832011)(476003)(11346002)(106356001)(105586002)(6512007)(9686003)(8936002)(446003)(186003)(386003)(14454004)(71200400001)(71190400001)(52116002)(5660300002)(14444005)(33716001)(99286004)(8676002)(26005)(81166006)(81156014)(4326008)(229853002)(6436002)(508600001)(102836004)(6486002)(6506007)(305945005)(7736002)(25786009)(76176011)(256004)(39026011);DIR:OUT;SFP:1102;SCL:1;SRVR:MEXPR01MB0854;H:MEXPR01MB1384.ausprd01.prod.outlook.com;FPR:;SPF:None;LANG:en;PTR:InfoNoRecords;MX:1;A:1; received-spf: None (protection.outlook.com: daisee.com does not designate permitted sender hosts) x-microsoft-exchange-diagnostics: =?us-ascii?Q?1;MEXPR01MB0854;23:19dwsCUWXaXOS/nFXUSuXUazYy/YcI1atzrVKWNlC?= =?us-ascii?Q?dNsCN7+wBEfE2+kd6Pog/uTgUSerko2DmUzKW/AILZYC4rC4Cod2jd1S1lEX?= =?us-ascii?Q?NVMYcAJ6Hgeo33gHSYel6Z5cY+Dmw2u7+Chz2Tis5PMmR0W25Wntamj3K1Ln?= =?us-ascii?Q?6RTpXFxNmu/33SggA6q498Ye62tYyztyo4OwPdVS+dJG7npYhvU2R6IWTmFA?= =?us-ascii?Q?90bfxlqGqtrgmOTts1e4EkJ0teiNbbGVw37c5HLT1H6KNR8PIi2jP2TSQMEV?= =?us-ascii?Q?mXMONgzg3IDd91tI6H110o8Ycyq0DakwdYMqDs1vpcrwA07atyXWVsonfGED?= =?us-ascii?Q?DGL2YRtImmj9M9/cg7UG7w1EjLBaWINgnnO5nBheYAKtWaTn07K8ET9HAt+6?= =?us-ascii?Q?BW2zW56VSsnLj2AfxKlNeBLJmB7SKg9ZbunXObfebWhGlNNlqYGQq59brYHo?= =?us-ascii?Q?fITPcnKE6TRCkUXPbYuxNwvcIhBmga3XyR6z5gOWZjQ+pWnVR2zK88t6OgYL?= =?us-ascii?Q?iOutZ3MrAH0uC1+fkDhpMUJ2/d4TF6aV2p4yu93O7fDTz25Yu0ppo/06SNwg?= =?us-ascii?Q?KGcA+8TzCnWiKRNeoIUjwzDJ6+CjmP+x69N5egB2kVD+jGiE/FiEq8Zb3+B+?= =?us-ascii?Q?8DrfdXOT37eurwkJErBpj2Inki6vCdniBeO5+omGlHxiCg7yovxiYji04kDk?= =?us-ascii?Q?GPN4Fn0tbA7z+b1FzFVrLa5XCqMPZ081KCvkij2MIMuaQeSOpnJXyKtfsQuQ?= =?us-ascii?Q?cz3TIRJ/+qe9Ij0RYtL0NLWNqkQ82X8wRg5k8j7//4NFOsgQEIjjyED+0VP3?= =?us-ascii?Q?1MHHInJtRf8MJ2LyaGOwz9LNmU9gY8Mxlym/VAmpjB001ii7KM54QfYCmBzl?= =?us-ascii?Q?oQ8A5PvjVPBfs+tuoAs2wglfaS2MmwBgnd4jdsr9Py9lZBM4ndE8ViWnDduf?= =?us-ascii?Q?+avCY5GDaA8ziFFmLGJkihQGyteejsf1tqn/R1rYR6lmxqGJ34OmiMyR8T0I?= =?us-ascii?Q?T4aLUei3bMzPcsmWpSU1mhujRa2SoN9vF4brDpfA3qZjLcmWf2nyELu52uZY?= =?us-ascii?Q?f53/nbLvqwxvtqGHuRIy1bDzQs2QKGtbLp3V5g1LAAtT/MvW0UIVyDAl8pnR?= =?us-ascii?Q?xRPZSB6Plwh8oECflgz0OjvVJgrU+Q6aSjkO0mV0RR1ASbTM7K4q3OnYsdBf?= =?us-ascii?Q?a1hQMNmDz+QP+NL/L7fgZaYoxxGxK1pHppRlxsUbacC2IpfMIQxm22J0I9Ex?= =?us-ascii?Q?UM+ItWZ9axkWBRtrNAUMXOMc/eHaOD1pT4WtEKC?= x-ms-exchange-senderadcheck: 1 x-microsoft-antispam-message-info: z92Hhu1t0uqESKU5AC3Lfw5yz65AV+Z2kQJcunxMDmcZ6/UC8XuoN9+vXyvDokIYSWJQUYTSjRRgLPs0Z9fjN9BhiVwoMlAb2kiN483TwJlEuTrspHY6Cgr5sZ7xdyN3nUlrJmce7yUvEVJu000lQmuiF26ICTWmkNkOjbBdm1Vpnzq+NVDdMjSyeT0izObrUfCN2o3EzA9HikZI4DOYznXfD5cv6mX1WEk4pSPLHN3+cAy8lJ5GDn6suPSkz8NROXshYdfV0mZ7hepTijHttCUOMp+HP4CizVZPRDmg+6HMrD8/sCnfFmZlsiWVJSkO9pmgv3cM6pwc7izcsjCJyc9ShzYLHek5wywfgiuyuSc9IvlerIFvfeYk2EpePI13HgnTzK6ryaSxDRsOEXelD8QXTqyM6SUWIsIOy8Wd0e8= Content-Type: text/plain; charset="us-ascii" Content-ID: <38DBF6AC3E23CF48B8AFD6AC619FAA19@ausprd01.prod.outlook.com> Content-Transfer-Encoding: quoted-printable MIME-Version: 1.0 X-OriginatorOrg: daisee.com X-MS-Exchange-CrossTenant-Network-Message-Id: 342d8d23-1dec-4c41-74e1-08d69ab6d4c2 X-MS-Exchange-CrossTenant-originalarrivaltime: 25 Feb 2019 00:18:56.3272 (UTC) X-MS-Exchange-CrossTenant-fromentityheader: Hosted X-MS-Exchange-CrossTenant-mailboxtype: HOSTED X-MS-Exchange-CrossTenant-id: 44a85d1e-6dd1-4722-8002-d1fff4934f01 X-MS-Exchange-Transport-CrossTenantHeadersStamped: MEXPR01MB0854 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org On Sunday, 24 February 2019 11:36:34 PM AEDT Nicolas Iooss wrote: > I agree it would be nice to be able to use SELinux on NixOS, and that > the first step consists in handling the file paths that are very > specific to this distribution. The patch you submitted adds the > support of source file contexts ending with "/*", but it does not > allow things like "match /chroot/nix/*/bin and replace it with > /usr/bin". This could be solved in several ways. The most > straightforward way probably consists in making selabel_sub_key() call > selabel_sub() several times, until no substitution occurred. An other > possibility could consist in using fnmatch() or regexp to match the > source pattern of substitution files, but I guess this would impact > performance too much. We should be able to accept the performance overhead of regexs because we=20 typically do less than a dozen checks of the subs file before doing hundred= s of=20 checks of the file_contexts file which has regexes (on my Debian/Stretch la= ptop=20 there are 4572 lines in the file_contexts file and 27 in the subst file inc= luding=20 comments). I'm not advocating regexs as such, merely suggesting that we=20 shouldn't rule out the possibility. You are correct that my patch misses the double level needed. The way the= =20 code works is that the custom subst file is checked and then the distributi= on=20 subst file is checked afterwards. I had put in my NixOS rule as a custom s= ubst=20 file (via semanage fcontext) so the tests passed. I had also misread the=20 source to think that it was already doing recursive checks of the subst fil= es. > I agree with adding support of source entries ending with "/*" in file > context substitution files. If others agree with this, for the next > iteration of the patch I suggest naming the new member of struct > selabel_sub "ends_with_star" instead of "wildcard". This would make > the code easier to understand. Sure, that sounds like a reasonable idea. Before I get to the stage of submitting a patch with a merge request I'll p= ut=20 in some comments too. Russell Coker