We have created a prototype implementation of FCGlob [1], with a refpolicy branch converted over to the globs. FCGlob uses globbing instead of regular expressions for file context specification. This is more straightforward for users and is deterministic for sorting. Both the policy and code can be checked out in the fcglob branch of refpolicy [2]. I'd request that you give it a spin on your system. There is a non-destructive test function which uses your filesystem as input and compares the result of the fcglob matchpathcon versus the current regex matchpathcon result and reports mismatches. The caveat being that this is not optimized code, and in fact is quite slow, especially because the python must exec a matchpathcon wrapper for each path for the regex match. Unfortunately the regex matchpathcon couldn't be run in the python, since the context validation could not be disabled since python can't use function pointers. Simply check out the branch, and run "make globtest". Mismatches are likely due to insufficient globs (there may not be enough globs to replicate the regex coverage), but could possibly expose incorrect results from the regex matchpathcon (I've seen this a couple times), or a bug in the code, or worst case, a flaw in the FCGlob design. [1] http://selinux-symposium.org/2007/papers/06-fcglob.pdf [2] http://oss.tresys.com/projects/refpolicy/wiki/SubversionCheckout -- Chris PeBenito Tresys Technology, LLC (410) 290-1411 x150 -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
