On Wed, Jun 15, 2011 at 05:35:19PM +0200, Miloslav TrmaÄ wrote: > On Wed, Jun 15, 2011 at 5:12 PM, Daniel J Walsh <dwalsh@xxxxxxxxxx> wrote: > > On 06/15/2011 11:03 AM, Miloslav Trma? wrote: > >> - At policy build time, precompute a DFA for all of the regexps, and > >> store it in a file. ÂThis file could be mmap()ed into any user of the > >> policy, requiring no malloc(), and allowing the kernel to free the > >> memory when it is no longer used; this should also make loading of the > >> file_contexts configuration faster. > >> Â ÂMirek > > > > I was wondering if this was possible. > Looking at the output of (semanage fcontext -l), it seems that all > entries could be handled by a DFA. Of course this might mean changing > the documented semantics of the regexp (in particular to forbid > backreferences). The practical question is whether the DFA will be > small enough, I can't really see much reason for a large state > explosion - most of the regexps are very simple. > > > ÂAny example of how to do it? > Not really... the idea was prompted by a mention of re2c, but I > suppose you don't want to involve a C compiler in the policy build > process. Still, that's something to start from. (And of course, a > student of automata theory should be able to build this from scratch. > Perhaps a bachelor thesis?) Rather than writing from scratch, modify: http://augeas.net/libfa/ Rich. -- Richard Jones, Virtualization Group, Red Hat http://people.redhat.com/~rjones virt-p2v converts physical machines to virtual machines. Boot with a live CD or over the network (PXE) and turn machines into Xen guests. http://et.redhat.com/~rjones/virt-p2v -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
