Show SELinux label on failure #216
Merged
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
rhatdan
requested review from
kolyshkin,
mrunalp,
runcom and
thaJeztah
as code owners
Collaborator
Author
thaJeztah
reviewed
Jul 31, 2024
go-selinux/selinux_linux.go
Outdated
| } | ||
| if err != unix.EINTR { | ||
| return &os.PathError{Op: "lsetxattr", Path: fpath, Err: err} | ||
| return &os.PathError{Op: "lsetxattr", Path: fpath, Err: fmt.Errorf("label=%s: %v", label, err)} |
Member
There was a problem hiding this comment.
Looks like a linter failed (need to change %v for %w to preserve the original error);
Error: go-selinux/selinux_linux.go:332:94: non-wrapping format verb for fmt.Errorf. Use `%w` to format errors (errorlint)
return &os.PathError{Op: "lsetxattr", Path: fpath, Err: fmt.Errorf("label=%s: %v", label, err)}
^
Error: go-selinux/selinux_linux.go:351:93: non-wrapping format verb for fmt.Errorf. Use `%w` to format errors (errorlint)
return &os.PathError{Op: "setxattr", Path: fpath, Err: fmt.Errorf("label=%s: %v", label, err)}
^
Collaborator
Author
There was a problem hiding this comment.
Yikes that is what I meant, good job linter,
Member
|
Change otherwise SGTM; error will look something like this when printed; |
thaJeztah
previously approved these changes
Aug 1, 2024
Member
thaJeztah
left a comment
thaJeztah
left a comment
There was a problem hiding this comment.
LGTM
but pinging @kolyshkin if he has any concerns on wrapping the underlying error
kolyshkin
requested changes
Aug 2, 2024
Collaborator
kolyshkin
left a comment
kolyshkin
left a comment
There was a problem hiding this comment.
My only concern is os.PathError.Err is probably expected to be a raw syscall.Errno. There's some old code which still does something like this:
if pathError, ok := err.(*os.PathError); ok && pathError.Err != unix.EDQUOT && pathError.Err != unix.ENOSPC {and such code will obviously fail here.
So, maybe we can add extra context into Op instead. Something like
return &os.PathError{Op: "setxattr(label="+label+")", Path...This might be more bullet-proof as I have yet to see code which checks PathError.Op.
Collaborator
Author
|
@kolyshkin Ready to Merge? |
Member
Heh. I was originally considering posting exactly the same as an alternative, then didn't 😂. The checking for a raw |
thaJeztah
reviewed
Aug 7, 2024
go-selinux/selinux_linux.go
Outdated
| } | ||
| if err != unix.EINTR { | ||
| return &os.PathError{Op: "lsetxattr", Path: fpath, Err: err} | ||
| return &os.PathError{Op: fmt.Sprintf("lsetxattr(label=%q)", label), Path: fpath, Err: err} |
Member
There was a problem hiding this comment.
Not a hard blocker (and maybe it's why @kolyshkin used string-concatenation in his suggestion); I tend to avoid using %q in formatting more nowadays; it's a great option, but the downside is that the (double) quotes can become a bit noisy if these messages pass some layers, they will be escaped, for example, when passing over an API, or when logging, it may become something like;
error="setxattr(label=\"system_u:object_r:bin_t:s0:c3,c4\") /some/path: invalid argument"Assuming we don't expect any really horrible strings to be passed as label by someone, %s would probably still work as it would still be wrapped within the (label=<some value>);
error="setxattr(label=system_u:object_r:bin_t:s0:c3,c4) /some/path: invalid argument"Probably less relevant for this module, but printing the raw value without quotes may also help in cases where (e.g.) a value including quotes was passed (I had some cases where the user expected quotes to be stripped by their shell, but made a mistake).
We are seeing EINVAL errors with container engines setting SELinux labels. It would be helpful to see what Labels the engines are trying to set. Signed-off-by: Daniel J Walsh <[email protected]>
thaJeztah
approved these changes
Aug 7, 2024
Member
thaJeztah
left a comment
thaJeztah
left a comment
There was a problem hiding this comment.
LGTM!
Sorry for the back-and-forth 🫶
Member
|
@kolyshkin PTAL; I think this one should be ready to go, but the push dismissed your LGTM |
giuseppe
approved these changes
Aug 7, 2024
Member
|
I'll bring this one in; the current implementation is ~ matching @kolyshkin's suggestion (I merely asked him to re-review because we needed a second approval) |
project-mirrors-bot-tu bot
pushed a commit
to project-mirrors/forgejo-runner-as-gitea-act-runner-fork
that referenced
this pull request
Aug 3, 2025
This PR contains the following updates: | Package | Change | Age | Confidence | |---|---|---|---| | [github.com/opencontainers/selinux](https://github.com/opencontainers/selinux) | `v1.11.0` -> `v1.12.0` | [](https://docs.renovatebot.com/merge-confidence/) | [](https://docs.renovatebot.com/merge-confidence/) | --- ### Release Notes <details> <summary>opencontainers/selinux (github.com/opencontainers/selinux)</summary> ### [`v1.12.0`](https://github.com/opencontainers/selinux/releases/tag/v1.12.0) [Compare Source](opencontainers/selinux@v1.11.1...v1.12.0) This release removes deprecated functions from the `label` package, and improves documentation and error reporting of `SetCreateKey`. #### What's Changed - VERSION: remove by [@​kolyshkin](https://github.com/kolyshkin) in opencontainers/selinux#217 - CI: add AlmaLinux 8, CentOS Stream 9, and Fedora by [@​AkihiroSuda](https://github.com/AkihiroSuda) in opencontainers/selinux#221 - ci: install git-core by [@​kolyshkin](https://github.com/kolyshkin) in opencontainers/selinux#224 - CI: add openSUSE Tumbleweed by [@​AkihiroSuda](https://github.com/AkihiroSuda) in opencontainers/selinux#223 - Bump Go version, deps, fix some linter issues... by [@​kolyshkin](https://github.com/kolyshkin) in opencontainers/selinux#218 - label: remove deprecated stuff by [@​kolyshkin](https://github.com/kolyshkin) in opencontainers/selinux#228 - Improve SetKeyCreate error reporting, fix test flakes by [@​kolyshkin](https://github.com/kolyshkin) in opencontainers/selinux#227 **Full Changelog**: opencontainers/selinux@v1.11.1...v1.12.0 ### [`v1.11.1`](https://github.com/opencontainers/selinux/releases/tag/v1.11.1) [Compare Source](opencontainers/selinux@v1.11.0...v1.11.1) #### What's Changed - Bump to v1.11.0 by [@​rhatdan](https://github.com/rhatdan) in opencontainers/selinux#197 - fix some error by [@​ningmingxiao](https://github.com/ningmingxiao) in opencontainers/selinux#200 - ci: update Go 1.21 support by [@​michalbiesek](https://github.com/michalbiesek) in opencontainers/selinux#202 - Extend `build-cross` target with `riscv64` arch by [@​michalbiesek](https://github.com/michalbiesek) in opencontainers/selinux#201 - Remove nolint annotations for unix errno comparisons by [@​kolyshkin](https://github.com/kolyshkin) in opencontainers/selinux#203 - ci: bump some actions by [@​kolyshkin](https://github.com/kolyshkin) in opencontainers/selinux#205 - Misc nitpicks by [@​kolyshkin](https://github.com/kolyshkin) in opencontainers/selinux#206 - pwalk, pwalkdir: fix walk vs remove race by [@​kolyshkin](https://github.com/kolyshkin) in opencontainers/selinux#204 - Update GitHub Actions CI Go matrix for Go v1.22 by [@​austinvazquez](https://github.com/austinvazquez) in opencontainers/selinux#209 - Update GitHub Actions packages to resolve deprecation warnings. by [@​austinvazquez](https://github.com/austinvazquez) in opencontainers/selinux#208 - Add dependabot config by [@​kolyshkin](https://github.com/kolyshkin) in opencontainers/selinux#210 - build(deps): bump tim-actions/get-pr-commits from 1.3.0 to 1.3.1 by [@​dependabot](https://github.com/dependabot) in opencontainers/selinux#211 - build(deps): bump golangci/golangci-lint-action from 4 to 6 by [@​dependabot](https://github.com/dependabot) in opencontainers/selinux#213 - Show SELinux label on failure by [@​rhatdan](https://github.com/rhatdan) in opencontainers/selinux#216 #### New Contributors - [@​ningmingxiao](https://github.com/ningmingxiao) made their first contribution in opencontainers/selinux#200 - [@​michalbiesek](https://github.com/michalbiesek) made their first contribution in opencontainers/selinux#202 - [@​dependabot](https://github.com/dependabot) made their first contribution in opencontainers/selinux#211 **Full Changelog**: opencontainers/selinux@v1.11.0...v1.11.1 </details> --- ### Configuration 📅 **Schedule**: Branch creation - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC), Automerge - Between 12:00 AM and 03:59 AM ( * 0-3 * * * ) (UTC). 🚦 **Automerge**: Disabled by config. Please merge this manually once you are satisfied. ♻ **Rebasing**: Whenever PR becomes conflicted, or you tick the rebase/retry checkbox. 🔕 **Ignore**: Close this PR and you won't be reminded about this update again. --- - [ ] <!-- rebase-check -->If you want to rebase/retry this PR, check this box --- This PR has been generated by [Renovate Bot](https://github.com/renovatebot/renovate). <!--renovate-debug:eyJjcmVhdGVkSW5WZXIiOiI0MS40My41IiwidXBkYXRlZEluVmVyIjoiNDEuNDMuNSIsInRhcmdldEJyYW5jaCI6Im1haW4iLCJsYWJlbHMiOltdfQ==--> Reviewed-on: https://code.forgejo.org/forgejo/runner/pulls/801 Reviewed-by: earl-warren <[email protected]> Co-authored-by: Renovate Bot <[email protected]> Co-committed-by: Renovate Bot <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
We are seeing EINVAL errors with container engines setting SELinux labels. It would be helpful to see what Labels the engines are trying to set.