[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]

Re: selinux prelink avc's (broken paths in policy?)



Christopher Ashworth wrote:
On Wed, 2006-05-24 at 16:06 +0100, Paul Howarth wrote:
Christopher Ashworth wrote:
On Wed, 2006-05-24 at 15:22 +0100, Paul Howarth wrote:

Is the sorting algorithm documented somewhere (the wiki?)?
The sorting algorithm is based on the following heuristics, applied in
this order:

When comparing two file contexts A and B...

- if A is a regular expression and B is not, A is less specific than B
- if A's stem length (the number of characters before the first regular
expression wildcard) is shorter than B's stem length, A is less specific
than B
- if A's string length (the entire length of the file context string) is
shorter than B's string length, A is less specific than B
- if A does not have a specified type and B does, A is less specific
than B.
- else, they are considered equally specific.
If there are two or more equally specific matches, is one picked at random?

Paul.

The sort is stable, so the order of the original file contexts is
maintained. The result is a list of all the file contexts sorted from
least specific to most specific.

When assigning the file contexts, the list is consulted in order of most
to least specific.  The first match wins.  If there were two contexts
that are considered equally specific, the original order given by the
author will determine which one wins.

So in other words, in the event of a tie, the one nearest the bottom of the list (in the file_contexts file or the output of "semanage fcontext -l") is determined to be the most specific and that one wins. Is that right?

Paul.


[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]