Re: The sort algorithm is broken by the second rule, We need a way to pin these rules to the top.

[Joshua Brindle <jbrindle@tresys.com>]

Stephen Smalley wrote:
> On Fri, 2006-03-31 at 14:18 -0500, Joshua Brindle wrote:
>> I think libsemanage should just put the .local file out for libselinux 
>> to read. There is no guarantee that none of the entries on .local won't 
>> be preceded by something in the normal file context if it is merged in 
>> libsemanage.
> 
> Last matching entry takes precedence, so as long as they are merged to
> the end of file_contexts (as they presently are), the local entries will
> always take precedence over any earlier matching entry.
> 
If a user adds a file context entry with a regex operator to .local it 
will get overridden by a specific match in the policy, I think this 
would be unexpected to the end user.

>>  This is the same thing we do for file_contexts.homedirs so 
>> why not do it with .local? (Also, if we merge .local into the normal fc 
>> file then the .local can't override .homedirs)
> 
> .homedirs is a bit different in that it is generated via genhomedircon
> from a policy-provided template.  The last point is true - that does
> yield a difference between ordering of entries added via semanage
> fcontext -a vs. manually put into file_contexts.local.
> 
> However, changing libsemanage to install file_contexts.local instead of
> merging it now is a behavioral change that could clobber an existing
> file_contexts.local, so we'd have to be very careful about the "upgrade"
> situation and we'd likely want to push that to FC5 ASAP so that users
> there don't get used to being able to manually tinker with
> file_contexts.local separately.
> 

Right, it's too bad we didn't do this before the release.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.