Re: [PATCH] contrib/selinux: use regex instead of non-standard bash macro

Hi Stefano, On Thu, 2025-10-16 at 10:21 +0200, Stefano Brivio wrote:

On Thu, 16 Oct 2025 13:10:41 +0530 Danish Prakash wrote:

...

It might be possible to avoid using non-standard bash macro (%USERID),

It's not a Bash macro, it's a SELinux template. This doesn't seem to be documented anywhere (which isn't terribly surprising with SELinux), but it's defined in this file: https://github.com/SELinuxProject/selinux/blob/ceb5b221/libsemanage/src/genh...

I wonder if Max remembers any reason why we couldn't do this in the first place.

The Fedora SELinux policy always uses %{USERID}, and so I copied it from there: $ grep -RnF '%{USERID}' policy/ policy/modules/contrib/dbus.fc:29:/run/user/%{USERID}/bus -s gen_context(system_u:object_r:session_dbusd_tmp_t,s0) policy/modules/contrib/dbus.fc:30:/run/user/%{USERID}/dbus(/.*)? gen_context(system_u:object_r:session_dbusd_tmp_t,s0) policy/modules/contrib/dbus.fc:31:/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_tmp_t,s0) policy/modules/contrib/gnome.fc:25:/run/user/%{USERID}/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0) policy/modules/contrib/gnome.fc:26:/run/user/%{USERID}/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0) policy/modules/contrib/gnome.fc:27:/run/user/%{USERID}/keyring.* gen_context(system_u:object_r:gkeyringd_tmp_t,s0) policy/modules/kernel/filesystem.fc:17:/run/user/%{USERID}/gvfs -d gen_context(system_u:object_r:fusefs_t,s0) policy/modules/kernel/filesystem.fc:18:/run/user/%{USERID}/gvfs/.* <<none>> policy/modules/system/userdomain.fc:38:/run/user/%{USERID} -d gen_context(system_u:object_r:user_tmp_t,s0) policy/modules/system/userdomain.fc:39:/run/user/%{USERID}/.+ <<none>> $ grep -RnF '[0-9]+' policy/ | grep -v /dev/ policy/modules/contrib/rpm.fc:52:/usr/bin/rhn_check-[0-9]+\.[0-9]+ -- gen_context(system_u:object_r:rpm_exec_t,s0) policy/modules/contrib/soundserver.fc:12:/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0) policy/modules/kernel/devices.if:6958:## Allow read the hfi1_[0-9]+ devices

...

diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec index 663289f53d97..d1bcf4a74338 100644 --- a/contrib/fedora/passt.spec +++ b/contrib/fedora/passt.spec [...]

At a glance, this looks like a better solution regardless of the reported issue. It sounds too good to be true, though

I agree that it looks like a good solution, which makes me wonder why the base SELinux policies don't do it that way. The containers SELinux policy appears to do things this way $ grep -RnF '[0-9]+' container_selinux.8:166: /run/user/[0-9]+/gvfs $ grep -RnF '%{USERID}'; echo $? 1 so it's probably (?) okay though. Thanks, -- Max