File contexts again
Christopher Ashworth
cashworth at tresys.com
Wed May 31 17:58:40 UTC 2006
On Wed, 2006-05-31 at 13:05 -0400, Stephen Smalley wrote:
> On Wed, 2006-05-31 at 12:54 -0400, Christopher Ashworth wrote:
> > On Wed, 2006-05-31 at 17:50 +0100, Paul Howarth wrote:
> > > Hmm, that doesn't explain why file contexts that aren't regexes do
> > > actually work. So if I have:
> > >
> > > /home/pgsql/pgstartup\.log --
> > > gen_context(system_u:object_r:postgresql_log_t,s0)
> > >
> > > this actually works as expected, even though the /home/[^/]*/.+
> > > homedir context also matches.
> >
> > Ah, true. I forgot you had said that this behavior was occurring. It
> > seems I have misremembered what is happening. Let me look again to
> > confirm what's going on.
>
> libselinux gives precedence to fully specified pathnames (no regex
> characters). Doesn't matter where they fall within the config files.
Ah, right; thanks. (As specified in libselinux/src/matchpathcon.c)
So what I said before was true, modulo the fact that when the actual
call to matchpathcon is made, one final sort is performed, to give fully
specified pathnames precedence.
Seems like the end-to-end process is a bit confusing, what with several
layers of sorting going on, but I can't immediately suggest an
improvement. I guess it's just a matter of documenting the life of file
contexts as clearly as possible.
Chris
More information about the selinux
mailing list