genfscon question

[Eric Paris]

On Mon, 2010-09-20 at 11:07 +0200, Roberto Sassu wrote:
> Hi all
> 
> i want to create a custom filesystem policy using the genfscon statement for labelling 
> files. I need to specify rules with the wildcard character, in order to obtain the same behaviour 
> for multiple subdirectories but this is currently unsupported (building of the policy fails).
> There are security/design concerns in order to introduce this feature or it can be added
> by patching the code?
> Thanks in advance for replies.

genfscon is only usable to label inodes when we know the name and path
to that inode is immutable.  Thus you will see in policy that we use
genfscon to label only the / directory of most filesystem types.  The
only places we use more than / is in /proc and /sys where the kernel
determines the name of the objects and those names are both
deterministic and immutable.

Aside from the fact that trying to use name based labeling breaks the
security model (we label the object not the name of the object) on
general purpose filesystems, your specific request has technical issues
in that the kernel has no regular expression parser.  I see that as an
insurmountable hurdle if you try to actually implement this.

-Eric