kmod-nvidia-1.0.8178-6.2.6.16_1.2080_FC5
Stephen Smalley
sds at tycho.nsa.gov
Thu Mar 30 17:26:23 UTC 2006
On Thu, 2006-03-30 at 09:13 -0800, alan wrote:
> On Thu, 30 Mar 2006, Stephen Smalley wrote:
>
> >> In FC5 we have
> >>
> >> /usr(/.*)?/nvidia/.*\.so(\..*)? --
> >> gen_context(system_u:object_r:textrel_shlib_t,s0)
> >
> > Looks like it is being overriden by a later entry in file_contexts:
> > /usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t
>
> Is there a way to log an error when an overlap like this occurs?
Such overlap is a normal part of file_contexts; you put more general
expressions first to provide defaults (e.g. mapping everything with no
matching spec to default_t via /.*, mapping all .so files under /usr/lib
not otherwise specified to lib_t via the regex above, etc) and then
provide more specific refinements. There is an improved sorting
algorithm coming for file_contexts, but it can't do much when you have
two roughly equally generic regexes like the above two - which is more
specific? Fully specified paths (no regexes) always win, of course.
--
Stephen Smalley
National Security Agency
More information about the fedora-list
mailing list