On Wed, Aug 21, 2019 at 10:02 PM Dominick Grift <dac.override@xxxxxxxxx> wrote: > > On Wed, Aug 21, 2019 at 09:57:14PM +0200, Nicolas Iooss wrote: > > Hi all, > > > > While checking the patterns in refpolicy, I stumbled upon the > > following line in > > https://github.com/SELinuxProject/refpolicy/blob/RELEASE_2_20190609/policy/modules/kernel/files.fc#L200 > > > > /usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0) > > Probably to work around an m4-ism. There seems to be an m4 "include" built-in. This seems to be a good explanation. The policy also uses workarounds for "index" built-in, with: /etc/amanda/.*/index`'(/.*)? /var/lib/apt-xapian-inde(x)(/.*)? In order not to introduce parentheses (which might change some ordering in the way the paths are matched with the patterns), I am thinking of replacing the pattern of /usr/include with: /usr/includ[e](/.*)? gen_context(system_u:object_r:usr_t,s0) ... with a comment about working around a m4 issue. Thanks, Nicolas > > > > This pattern matches /usr/include and its content, but why is a dot > > used? Which other directories can it match? > > > > The issue there is that a dot can match a slash, so the pattern also > > matches /usr/inclu/e/, which seems strange. This pattern has been > > introduced in the very early days of refpolicy's git repository, > > according to https://github.com/SELinuxProject/refpolicy/commit/f8ec0ad43b54437e2d9f0e48a773a64dbd9e543c#diff-e333cb52d2139f7a71f0dfbd32c06f70R117. > > Does anyone remember why the pattern for /usr/include is so special? > > > > Thanks, > > Nicolas > > > > -- > Key fingerprint = 5F4D 3CDB D3F8 3652 FBD8 02D5 3B6C 5F1D 2C7B 6B02 > https://sks-keyservers.net/pks/lookup?op=get&search=0x3B6C5F1D2C7B6B02 > Dominick Grift