On 01/16/2014 04:44 AM, Chengwei Yang wrote:
> In both SELinux and SMACK environment, 'id -Z' says about the security
> context of the current process, the id process, rather than the security
> context of the current user.
> ---
> doc/coreutils.texi | 2 +-
> src/id.c | 2 +-
> 2 files changed, 2 insertions(+), 2 deletions(-)
>
> diff --git a/doc/coreutils.texi b/doc/coreutils.texi
> index 9a19cfa..6b7194a 100644
> --- a/doc/coreutils.texi
> +++ b/doc/coreutils.texi
> @@ -14564,7 +14564,7 @@ Print only the user ID.
> @cindex SELinux
> @cindex security context
> Print only the security context of the current user.
I'll change the above mention of "current user"
to also mention 'process'.
Some examples for my own reference:
$ id -Z
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ ps -ocontext= -p $$
unconfined_u:unconfined_r:unconfined_t:s0-s0:c0.c1023
$ runcon 'root:object_r:tmp_t:s0' id -Z
root:object_r:tmp_t:s0
> -If SELinux is disabled then print a warning and
> +If both SELinux and SMACK are disabled then print a warning and
> set the exit status to 1.
>
> @item -z
> diff --git a/src/id.c b/src/id.c
> index 803c360c..1007eb2 100644
> --- a/src/id.c
> +++ b/src/id.c
> @@ -89,7 +89,7 @@ or (when USER omitted) for the current user.\n\
> stdout);
> fputs (_("\
> -a ignore, for compatibility with other versions\n\
> - -Z, --context print only the security context of the current user\n\
> + -Z, --context print only the security context of the current process\n\
So this is a little ambiguous. In the SMACK64EXEC edge case,
is the current process referring to the id process or the
process it's being run from?
-Z, --context print only the security context inherited by the process
> -g, --group print only the effective group ID\n\
> -G, --groups print all group IDs\n\
> -n, --name print a name instead of a number, for -ugG\n\
thanks,
Pádraig.
