Just a quick thought.

Just a quick thought.

[Daniel J Walsh]

Now that we have labelling equivalence should we just add a 

/lib64 /lib
/usr/lib64 /usr/lib
/usr/local/lib64 /usr/local/lib

Seems we could simplify policy and prevent many mistakes.  Might speed up regex matching a little bit.


grep 64 /etc/selinux/targeted/contexts/files/file_contexts | wc
    259     735   18694


If were were more agressive

/usr/local /usr
/opt /usr




--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Just a quick thought.

[Christopher J. PeBenito]

On Tue, 2009-08-04 at 07:20 -0400, Daniel J Walsh wrote:
> Now that we have labelling equivalence should we just add a 
> 
> /lib64 /lib
> /usr/lib64 /usr/lib
> /usr/local/lib64 /usr/local/lib
> 
> Seems we could simplify policy and prevent many mistakes.  Might speed up regex matching a little bit.
> 
> 
> grep 64 /etc/selinux/targeted/contexts/files/file_contexts | wc
>     259     735   18694
> 
> 
> If were were more agressive
> 
> /usr/local /usr
> /opt /usr

Makes sense to me.  But is there a way for the policy to specify an
equivalence, or is it currently limited to the semanage cli?

-- 
Chris PeBenito
Tresys Technology, LLC
(410) 290-1411 x150


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Just a quick thought.

[Paul Howarth]

On 04/08/09 12:20, Daniel J Walsh wrote:
> Now that we have labelling equivalence should we just add a
>
> /lib64 /lib
> /usr/lib64 /usr/lib
> /usr/local/lib64 /usr/local/lib
>
> Seems we could simplify policy and prevent many mistakes.  Might speed up regex matching a little bit.

It would also remove the need for the /lib(64)? style regexes 
altogether, which are unfortunately close to the start of the pathname 
and cause these patterns to score poorly when being considered as a 
possible match for a filename.

> grep 64 /etc/selinux/targeted/contexts/files/file_contexts | wc
>      259     735   18694
>
>
> If were were more aggressive
>
> /usr/local /usr

That looks sane.

> /opt /usr

Don't agree with that one. /opt tends to fill with things like 
/opt/appname and only then the regular structure underneath there with 
/bin, /man etc.

Paul.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

Re: Just a quick thought.

[Daniel J Walsh]

On 08/04/2009 08:05 AM, Christopher J. PeBenito wrote:
> On Tue, 2009-08-04 at 07:20 -0400, Daniel J Walsh wrote:
>> Now that we have labelling equivalence should we just add a 
>>
>> /lib64 /lib
>> /usr/lib64 /usr/lib
>> /usr/local/lib64 /usr/local/lib
>>
>> Seems we could simplify policy and prevent many mistakes.  Might speed up regex matching a little bit.
>>
>>
>> grep 64 /etc/selinux/targeted/contexts/files/file_contexts | wc
>>     259     735   18694
>>
>>
>> If were were more agressive
>>
>> /usr/local /usr
>> /opt /usr
> 
> Makes sense to me.  But is there a way for the policy to specify an
> equivalence, or is it currently limited to the semanage cli?
> 
Currently it is CLI, but it should probably be merged into the sandbox, some how.

--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.