selinux prelink avc's (broken paths in policy?)
Christopher Ashworth
cashworth at tresys.com
Wed May 24 15:12:36 UTC 2006
On Wed, 2006-05-24 at 16:06 +0100, Paul Howarth wrote:
> Christopher Ashworth wrote:
> > On Wed, 2006-05-24 at 15:22 +0100, Paul Howarth wrote:
> >
> >> Is the sorting algorithm documented somewhere (the wiki?)?
> >
> > The sorting algorithm is based on the following heuristics, applied in
> > this order:
> >
> > When comparing two file contexts A and B...
> >
> > - if A is a regular expression and B is not, A is less specific than B
> > - if A's stem length (the number of characters before the first regular
> > expression wildcard) is shorter than B's stem length, A is less specific
> > than B
> > - if A's string length (the entire length of the file context string) is
> > shorter than B's string length, A is less specific than B
> > - if A does not have a specified type and B does, A is less specific
> > than B.
> > - else, they are considered equally specific.
>
> If there are two or more equally specific matches, is one picked at random?
>
> Paul.
The sort is stable, so the order of the original file contexts is
maintained. The result is a list of all the file contexts sorted from
least specific to most specific.
When assigning the file contexts, the list is consulted in order of most
to least specific. The first match wins. If there were two contexts
that are considered equally specific, the original order given by the
author will determine which one wins.
Chris
More information about the fedora-selinux-list
mailing list