selinux prelink avc's (broken paths in policy?)
Paul Howarth
paul at city-fan.org
Wed May 24 15:20:33 UTC 2006
Christopher Ashworth wrote:
> On Wed, 2006-05-24 at 16:06 +0100, Paul Howarth wrote:
>> Christopher Ashworth wrote:
>>> On Wed, 2006-05-24 at 15:22 +0100, Paul Howarth wrote:
>>>
>>>> Is the sorting algorithm documented somewhere (the wiki?)?
>>> The sorting algorithm is based on the following heuristics, applied in
>>> this order:
>>>
>>> When comparing two file contexts A and B...
>>>
>>> - if A is a regular expression and B is not, A is less specific than B
>>> - if A's stem length (the number of characters before the first regular
>>> expression wildcard) is shorter than B's stem length, A is less specific
>>> than B
>>> - if A's string length (the entire length of the file context string) is
>>> shorter than B's string length, A is less specific than B
>>> - if A does not have a specified type and B does, A is less specific
>>> than B.
>>> - else, they are considered equally specific.
>> If there are two or more equally specific matches, is one picked at random?
>>
>> Paul.
>
> The sort is stable, so the order of the original file contexts is
> maintained. The result is a list of all the file contexts sorted from
> least specific to most specific.
>
> When assigning the file contexts, the list is consulted in order of most
> to least specific. The first match wins. If there were two contexts
> that are considered equally specific, the original order given by the
> author will determine which one wins.
So in other words, in the event of a tie, the one nearest the bottom of
the list (in the file_contexts file or the output of "semanage fcontext
-l") is determined to be the most specific and that one wins. Is that right?
Paul.
More information about the fedora-selinux-list
mailing list