[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [PATCH] Sort file contexts

To: Joshua Brindle <jbrindle@xxxxxxxxxx>
Subject: Re: [PATCH] Sort file contexts
From: Stephen Smalley <sds@xxxxxxxxxxxxx>
Date: Thu, 27 Oct 2005 09:30:29 -0400
Cc: SELinux-dev@xxxxxxxxxx, SELinux List <SELinux@xxxxxxxxxxxxx>
In-reply-to: <1130356067.7724.6.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Organization: National Security Agency
References: <1130356067.7724.6.camel@xxxxxxxxxxxxxxxxxxxxxxxxxxx>
Sender: owner-selinux@xxxxxxxxxxxxx

On Wed, 2005-10-26 at 15:47 -0400, Joshua Brindle wrote:
> This patch changes matchpathcon to sort the file contexts according to a previous email from
> Chris PeBenito:
> 
> ---
> To try to fix this we looked for regular expression sorting algorithms,
> but pretty much came up empty.  So we wrote support/fc_sort.c to do a
> stable sort (merge sort) with this comparison function:
> 
> 1. does one have a meta chars and the other not
> 2. length of the spec up to the first meta char
> 3. length of the entire spec
> 4. does one have a specific file type (--, -d, etc.) and the other not
> ---

I ran setfiles prior to applying this patch to ensure that the
filesystem was labeled consistently with the existing logic, then
applied this patch and ran setfiles -nv.  This reports a variety of
changes in security context (on a rawhide system with strict policy).  A
few examples are below.  I know that we talked about this issue earlier
and plan to insert additional patterns as needed, but it seems that we
need to coordinate that update to file_contexts with this change.
Another issue that occurs to me is whether we want to sort all of the
file contexts (including .homedirs and .local) together, or if we want
to sort them separately and then combine them in a well-defined ordering
(i.e. all local entries are higher precedence than the base).

relabeling /usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/bin from system_u:object_r:bin_t to system_u:object_r:lib_t
relabeling /usr/lib/jvm/java-1.4.2-gcj-1.4.2.0/bin/java from system_u:object_r:java_exec_t to system_u:object_r:lib_t
relabeling /usr/lib/debug/usr/bin from system_u:object_r:bin_t to system_u:object_r:lib_t
relabeling /usr/lib/debug/usr/bin/checkpolicy.debug from system_u:object_r:bin_t to system_u:object_r:lib_t  
relabeling /usr/lib/mozilla-1.7.12/mozilla-xremote-client from system_u:object_r:mozilla_exec_t to system_u:object_r:bin_t
relabeling /usr/lib/openoffice.org2.0/program/libsoffice.so from system_u:object_r:texrel_shlib_t to system_u:object_r:shlib_t

-- 
Stephen Smalley
National Security Agency

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with
the words "unsubscribe selinux" without quotes as the message.

Prev by Date: Re: squid policy
Next by Date: Re: [ SEMANAGE ] Implement dbase_file_set, fix memleak
Previous by thread: Re: [ SEMANAGE ] Implement dbase_file_set, fix memleak
Next by thread: [ SEMANAGE ] Enable things for testing, add missing set relay
Index(es):
- Date
- Thread

This mailing list archive is a service of Copilot Consulting.