Re: [PATCH] contrib/selinux: use regex instead of non-standard bash macro

On 10/27/25 2:37 PM, Stefano Brivio wrote:

Hi Danish,

On Mon, 27 Oct 2025 14:19:14 +0530 Danish Prakash wrote:

...

On 10/16/25 4:26 PM, Max Chernoff wrote:

...

Hi Stefano,

On Thu, 2025-10-16 at 10:21 +0200, Stefano Brivio wrote:

...

On Thu, 16 Oct 2025 13:10:41 +0530 Danish Prakash wrote:

...

It might be possible to avoid using non-standard bash macro (%USERID),

It's not a Bash macro, it's a SELinux template. This doesn't seem to be documented anywhere (which isn't terribly surprising with SELinux), but it's defined in this file:

https://github.com/SELinuxProject/selinux/blob/ceb5b221/libsemanage/src/genh...

Thanks Max, I wasn't aware of it being an SELinux template.

...

...

I wonder if Max remembers any reason why we couldn't do this in the first place.

The Fedora SELinux policy always uses %{USERID}, and so I copied it from there:

$ grep -RnF '%{USERID}' policy/ policy/modules/contrib/dbus.fc:29:/run/user/%{USERID}/bus -s gen_context(system_u:object_r:session_dbusd_tmp_t,s0) policy/modules/contrib/dbus.fc:30:/run/user/%{USERID}/dbus(/.*)? gen_context(system_u:object_r:session_dbusd_tmp_t,s0) policy/modules/contrib/dbus.fc:31:/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_tmp_t,s0) policy/modules/contrib/gnome.fc:25:/run/user/%{USERID}/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0) policy/modules/contrib/gnome.fc:26:/run/user/%{USERID}/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0) policy/modules/contrib/gnome.fc:27:/run/user/%{USERID}/keyring.* gen_context(system_u:object_r:gkeyringd_tmp_t,s0) policy/modules/kernel/filesystem.fc:17:/run/user/%{USERID}/gvfs -d gen_context(system_u:object_r:fusefs_t,s0) policy/modules/kernel/filesystem.fc:18:/run/user/%{USERID}/gvfs/.* <<none>> policy/modules/system/userdomain.fc:38:/run/user/%{USERID} -d gen_context(system_u:object_r:user_tmp_t,s0) policy/modules/system/userdomain.fc:39:/run/user/%{USERID}/.+ <<none>>

$ grep -RnF '[0-9]+' policy/ | grep -v /dev/ policy/modules/contrib/rpm.fc:52:/usr/bin/rhn_check-[0-9]+\.[0-9]+ -- gen_context(system_u:object_r:rpm_exec_t,s0) policy/modules/contrib/soundserver.fc:12:/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0) policy/modules/kernel/devices.if:6958:## Allow read the hfi1_[0-9]+ devices

...

...

diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec index 663289f53d97..d1bcf4a74338 100644 --- a/contrib/fedora/passt.spec +++ b/contrib/fedora/passt.spec [...]

At a glance, this looks like a better solution regardless of the reported issue. It sounds too good to be true, though

I agree that it looks like a good solution, which makes me wonder why the base SELinux policies don't do it that way. The containers SELinux policy appears to do things this way

$ grep -RnF '[0-9]+' container_selinux.8:166: /run/user/[0-9]+/gvfs $ grep -RnF '%{USERID}'; echo $? 1

so it's probably (?) okay though.

That's helpful, I guess we can go ahead with this. Stefano, Paul?

Sure. But back to my question about the original problem... what was the original problem? :) Could it be something similar to:

https://bugzilla.redhat.com/show_bug.cgi?id=2401764

?

Ah, sorry about that. No, it's not a functionality issue or a bug. It was merely a few suggestions to improve the passt SUSE package from the SELinux team at SUSE. Here are the suggestions: 1. building twice is quite a hack, setting a hardlink as in apparmor would probably work as well and is less confusing 2. running restorecon would be unnecessary if the passt upstream selinux module would not use ${USERID} in pasta.fc (gets converted to [0-9]+ anyway) 3. there is a %selinux_requires macro in selinux-policy-devel that likely could be used instead of listing the Requires:, but okay we dont enforce that atm For #1 I can see that building twice is required in this case, and unlike apparmor which can work with hardlinks, doing the same for SELinux isn't possible with inodes in the picture. #2 is what this patch is about, and #3 is SUSE-exclusive which I'm fixing in parallel.

In general, there are a bunch of current SELinux issues reported on Fedora/RHEL (and I assume they would be exactly the same on openSUSE/SLES):

https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&columnlist=short_desc%2Cchangeddate%2Cbug_severity&component=passt&product=Fedora

and I'm trying to find out if this change might fix some of them. Most of those are stuff I didn't investigate yet.

Unfortunately no, I was notified of a few spec related errors from colleagues, but I'm sure the errors would overlap, as you said. If there's something I can help, please let me know, I'll be happy to contribute. regards -- danishpraka.sh