selinux prelink avc's (broken paths in policy?)
Daniel J Walsh
dwalsh at redhat.com
Wed May 24 15:20:32 UTC 2006
Christopher Ashworth wrote:
> On Wed, 2006-05-24 at 16:06 +0100, Paul Howarth wrote:
>
>> Christopher Ashworth wrote:
>>
>>> On Wed, 2006-05-24 at 15:22 +0100, Paul Howarth wrote:
>>>
>>>
>>>> Is the sorting algorithm documented somewhere (the wiki?)?
>>>>
>>> The sorting algorithm is based on the following heuristics, applied in
>>> this order:
>>>
>>> When comparing two file contexts A and B...
>>>
>>> - if A is a regular expression and B is not, A is less specific than B
>>> - if A's stem length (the number of characters before the first regular
>>> expression wildcard) is shorter than B's stem length, A is less specific
>>> than B
>>> - if A's string length (the entire length of the file context string) is
>>> shorter than B's string length, A is less specific than B
>>> - if A does not have a specified type and B does, A is less specific
>>> than B.
>>> - else, they are considered equally specific.
>>>
>> If there are two or more equally specific matches, is one picked at random?
>>
>> Paul.
>>
>
> The sort is stable, so the order of the original file contexts is
> maintained. The result is a list of all the file contexts sorted from
> least specific to most specific.
>
> When assigning the file contexts, the list is consulted in order of most
> to least specific. The first match wins. If there were two contexts
> that are considered equally specific, the original order given by the
> author will determine which one wins.
>
> Chris
>
Chris I just put some of your comments on my Blog and out on
http://fedoraproject.org/wiki/SELinux
I have better understanding of this now.
More information about the fedora-selinux-list
mailing list