On Mon, 2010-09-20 at 11:07 +0200, Roberto Sassu wrote: > Hi all > > i want to create a custom filesystem policy using the genfscon statement for labelling > files. I need to specify rules with the wildcard character, in order to obtain the same behaviour > for multiple subdirectories but this is currently unsupported (building of the policy fails). > There are security/design concerns in order to introduce this feature or it can be added > by patching the code? > Thanks in advance for replies. genfscon is only usable to label inodes when we know the name and path to that inode is immutable. Thus you will see in policy that we use genfscon to label only the / directory of most filesystem types. The only places we use more than / is in /proc and /sys where the kernel determines the name of the objects and those names are both deterministic and immutable. Aside from the fact that trying to use name based labeling breaks the security model (we label the object not the name of the object) on general purpose filesystems, your specific request has technical issues in that the kernel has no regular expression parser. I see that as an insurmountable hurdle if you try to actually implement this. -Eric -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
