Re: [PATCH] contrib/selinux: use regex instead of non-standard bash macro

Hi Danish, On Mon, 27 Oct 2025 14:19:14 +0530 Danish Prakash wrote:

On 10/16/25 4:26 PM, Max Chernoff wrote:

...

Hi Stefano,

On Thu, 2025-10-16 at 10:21 +0200, Stefano Brivio wrote:

...

On Thu, 16 Oct 2025 13:10:41 +0530 Danish Prakash wrote:

...

It might be possible to avoid using non-standard bash macro (%USERID),

It's not a Bash macro, it's a SELinux template. This doesn't seem to be documented anywhere (which isn't terribly surprising with SELinux), but it's defined in this file:

https://github.com/SELinuxProject/selinux/blob/ceb5b221/libsemanage/src/genh...

Thanks Max, I wasn't aware of it being an SELinux template.

...

...

I wonder if Max remembers any reason why we couldn't do this in the first place.

The Fedora SELinux policy always uses %{USERID}, and so I copied it from there:

$ grep -RnF '%{USERID}' policy/ policy/modules/contrib/dbus.fc:29:/run/user/%{USERID}/bus -s gen_context(system_u:object_r:session_dbusd_tmp_t,s0) policy/modules/contrib/dbus.fc:30:/run/user/%{USERID}/dbus(/.*)? gen_context(system_u:object_r:session_dbusd_tmp_t,s0) policy/modules/contrib/dbus.fc:31:/run/user/%{USERID}/dbus-1(/.*)? gen_context(system_u:object_r:session_dbusd_tmp_t,s0) policy/modules/contrib/gnome.fc:25:/run/user/%{USERID}/\.orc(/.*)? gen_context(system_u:object_r:gstreamer_home_t,s0) policy/modules/contrib/gnome.fc:26:/run/user/%{USERID}/dconf(/.*)? gen_context(system_u:object_r:config_home_t,s0) policy/modules/contrib/gnome.fc:27:/run/user/%{USERID}/keyring.* gen_context(system_u:object_r:gkeyringd_tmp_t,s0) policy/modules/kernel/filesystem.fc:17:/run/user/%{USERID}/gvfs -d gen_context(system_u:object_r:fusefs_t,s0) policy/modules/kernel/filesystem.fc:18:/run/user/%{USERID}/gvfs/.* <<none>> policy/modules/system/userdomain.fc:38:/run/user/%{USERID} -d gen_context(system_u:object_r:user_tmp_t,s0) policy/modules/system/userdomain.fc:39:/run/user/%{USERID}/.+ <<none>>

$ grep -RnF '[0-9]+' policy/ | grep -v /dev/ policy/modules/contrib/rpm.fc:52:/usr/bin/rhn_check-[0-9]+\.[0-9]+ -- gen_context(system_u:object_r:rpm_exec_t,s0) policy/modules/contrib/soundserver.fc:12:/run/yiff-[0-9]+\.pid -- gen_context(system_u:object_r:soundd_var_run_t,s0) policy/modules/kernel/devices.if:6958:## Allow read the hfi1_[0-9]+ devices

...

...

diff --git a/contrib/fedora/passt.spec b/contrib/fedora/passt.spec index 663289f53d97..d1bcf4a74338 100644 --- a/contrib/fedora/passt.spec +++ b/contrib/fedora/passt.spec [...]

At a glance, this looks like a better solution regardless of the reported issue. It sounds too good to be true, though

I agree that it looks like a good solution, which makes me wonder why the base SELinux policies don't do it that way. The containers SELinux policy appears to do things this way

$ grep -RnF '[0-9]+' container_selinux.8:166: /run/user/[0-9]+/gvfs $ grep -RnF '%{USERID}'; echo $? 1

so it's probably (?) okay though.

That's helpful, I guess we can go ahead with this. Stefano, Paul?

Sure. But back to my question about the original problem... what was the original problem? :) Could it be something similar to: https://bugzilla.redhat.com/show_bug.cgi?id=2401764 ? In general, there are a bunch of current SELinux issues reported on Fedora/RHEL (and I assume they would be exactly the same on openSUSE/SLES): https://bugzilla.redhat.com/buglist.cgi?bug_status=__open__&columnlist=short_desc%2Cchangeddate%2Cbug_severity&component=passt&product=Fedora and I'm trying to find out if this change might fix some of them. Most of those are stuff I didn't investigate yet. -- Stefano