Re: [PATCH] selinux(8,5): Describe fcontext regular expressions

[Petr Lautrbach <plautrba@redhat.com>]

Petr Lautrbach <plautrba@redhat.com> writes:

> Vit Mojzis <vmojzis@redhat.com> writes:
>
>> Describe which type of regular expression is used in file context
>> definitions and which flags are in effect.
>>
>> Explain how local file context modifications are processed.
>>
>> Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
>
> Acked-by: Petr Lautrbach <plautrba@redhat.com>

Merged, thanks!


>> ---
>>
>>  libselinux/man/man5/selabel_file.5  |  9 ++++++++-
>>  python/semanage/semanage            |  2 +-
>>  python/semanage/semanage-fcontext.8 | 18 ++++++++++++++++++
>>  3 files changed, 27 insertions(+), 2 deletions(-)
>>
>> diff --git a/libselinux/man/man5/selabel_file.5 b/libselinux/man/man5/selabel_file.5
>> index e97bd826..baba7776 100644
>> --- a/libselinux/man/man5/selabel_file.5
>> +++ b/libselinux/man/man5/selabel_file.5
>> @@ -125,7 +125,14 @@ Where:
>>  .RS
>>  .I pathname
>>  .RS
>> -An entry that defines the pathname that may be in the form of a regular expression.
>> +An entry that defines the path to be labeled.
>> +May contain either a fully qualified path,
>> +or a Perl compatible regular expression (PCRE),
>> +describing fully qualified path(s).
>> +The only PCRE flag in use is PCRE2_DOTALL,
>> +which causes a wildcard '.' to match anything, including a new line.
>> +Strings representing paths are processed as bytes (as opposed to Unicode),
>> +meaning that non-ASCII characters are not matched by a single wildcard.
>>  .RE
>>  .I file_type
>>  .RS
>> diff --git a/python/semanage/semanage b/python/semanage/semanage
>> index 125271df..18a27105 100644
>> --- a/python/semanage/semanage
>> +++ b/python/semanage/semanage
>> @@ -379,7 +379,7 @@ If you do not specify a file type, the file type will default to "all files".
>>      parser_add_seuser(fcontextParser, "fcontext")
>>      parser_add_type(fcontextParser, "fcontext")
>>      parser_add_range(fcontextParser, "fcontext")
>> -    fcontextParser.add_argument('file_spec', nargs='?', default=None, help=_('file_spec'))
>> +    fcontextParser.add_argument('file_spec', nargs='?', default=None, help=_('Path to be labeled (may be in the form of a Perl compatible regular expression)'))
>>      fcontextParser.set_defaults(func=handleFcontext)
>>  
>>  
>> diff --git a/python/semanage/semanage-fcontext.8 b/python/semanage/semanage-fcontext.8
>> index 561123af..49635ba7 100644
>> --- a/python/semanage/semanage-fcontext.8
>> +++ b/python/semanage/semanage-fcontext.8
>> @@ -11,6 +11,24 @@ SELinux policy without requiring modification to or recompilation
>>  from policy sources.  semanage fcontext is used to  manage the default
>>  file system labeling on an SELinux system.  This command maps file paths using regular expressions to SELinux labels.
>>  
>> +FILE_SPEC may contain either a fully qualified path,
>> +or a Perl compatible regular expression (PCRE),
>> +describing fully qualified path(s). The only PCRE flag in use is PCRE2_DOTALL,
>> +which causes a wildcard '.' to match anything, including a new line.
>> +Strings representing paths are processed as bytes (as opposed to Unicode),
>> +meaning that non-ASCII characters are not matched by a single wildcard.
>> +
>> +Note, that file context definitions specified using 'semanage fcontext'
>> +(i.e. local file context modifications stored in file_contexts.local)
>> +have higher priority than those specified in policy modules.
>> +This means that whenever a match for given file path is found in
>> +file_contexts.local, no other file context definitions are considered.
>> +Entries in file_contexts.local are processed from most recent one to the oldest,
>> +with first match being used (as opposed to the most specific match,
>> +which is used when matching other file context definitions).
>> +All regular expressions should therefore be as specific as possible,
>> +to avoid unintentionally impacting other parts of the filesystem.
>> +
>>  .SH "OPTIONS"
>>  .TP
>>  .I  \-h, \-\-help
>> -- 
>> 2.29.2