exa
exa copied to clipboard
ogham
Support For Security Context ?
Am I missing something or does exa not support security contexts? It seems weird to me that it wouldn't because vanilla ls does. i.e. ls -Z more information about it can be found under man ls or here. No security context is unfortunately a deal breaker for me :(
looks like Stebalien/xattr has a crate with extended attr functionality... and platform support looks restricted to macos, linux, and bsd. I'd like to take a stab at this!
exa already supports xattrs, except it uses its own implementation rather than using the xattr crate. There’s probably a lot of overlap between the two and it might be worth switching to it.
Anyway, I do want exa to eventually support all the features currently used by all the ls-es, including security contexts and anything else that gets listed by that flag. To support something like this, exa needs one of the following:
- A C header file full of types and functions that can be called from Rust, or
- An existing Rust crate for SELinux.
I can’t find 2, but there is a header file for SELinux that looks promising. We would need to copy the functions into Rust extern sections, write an interface to them so it works with exa’s File type, and then find a way to turn the result into a Cell and add a new column type so exa can display it. It’s a little complicated but, looking at the xattrs implementation, something similar has already been done.
Unfortunately, unless someone takes up the mantle, I don’t think I’m going to be able to do this in at least the next development cycle. I’m going to leave this issue open in the backlog but give it the vague “in-the-future” 1.0.0 milestone. Sorry!
Also, I just ran ls -Z on some of the servers at work. 50% of the files replied with system_u:object_r:bin_t:s0 and the other half replied with just ? and a bunch of spaces.
This looks like something exa could inject colour into. I’m assuming that those fields are colon-separated, and those fields have to mean something, even if I don’t know what.
Yes they have meaning. ;) SELinux context contains 4 fields:
-
system_u- user field -
object_r- role field -
user_home_t- type field -
s0- level field
Unfortunately last field can be more complicated and contain :, for example: s0-s15:c1,c2.
? means that your server was installed with SELinux and then it was disabled which means that new files were created without context.
@ogham Is exa able to show selinux context now? I can't find any mention of selinux in the manpage.
This ticket is still open, and is milestoned for "eventual", so sadly, no it has not been implemented yet.
A UX idea from a lurker: colorize the SELinux labels to indicate to the user if a file is mislabeled.
Mislabeled files are one of the top causes of problems with SELinux [1], so perhaps it would be useful to highlight parts of the label (maybe in red) that differ from the expected value from that part of the label? (this presumably would require querying the SELinux policy, and I don't know how expensive that is)
"-Z" is the option for viewing SELinux labels in "ls" and in "ps", and IIRC in other tools.
Hope this is constructive
[1] https://access.redhat.com/documentation/en-us/red_hat_enterprise_linux/6/html/security-enhanced_linux/sect-security-enhanced_linux-troubleshooting-top_three_causes_of_problems
I just found this: https://lib.rs/crates/selinux-sys Are you looking for something similar (or this, exactly)?
