systemd: please stop trying to take over the world :)

Miloslav Trmač mitr at
Wed Jun 15 15:35:19 UTC 2011

On Wed, Jun 15, 2011 at 5:12 PM, Daniel J Walsh <dwalsh at> wrote:
> On 06/15/2011 11:03 AM, Miloslav Trma? wrote:
>> - At policy build time, precompute a DFA for all of the regexps, and
>> store it in a file.  This file could be mmap()ed into any user of the
>> policy, requiring no malloc(), and allowing the kernel to free the
>> memory when it is no longer used; this should also make loading of the
>> file_contexts configuration faster.
>>    Mirek
> I was wondering if this was possible.
Looking at the output of (semanage fcontext -l), it seems that all
entries could be handled by a DFA.  Of course this might mean changing
the documented semantics of the regexp (in particular to forbid
backreferences).  The practical question is whether the DFA will be
small enough, I can't really see much reason for a large state
explosion - most of the regexps are very simple.

>  Any example of how to do it?
Not really... the idea was prompted by a mention of re2c, but I
suppose you don't want to involve a C compiler in the policy build
process.  Still, that's something to start from.  (And of course, a
student of automata theory should be able to build this from scratch.
Perhaps a bachelor thesis?)

More information about the devel mailing list