[Resending because I originally only sent these to the new list]
ocontexts (initial sids, fs_use_*, genfscon, portcon, etc) are sorted by libsemanage when using policy modules and by libsepol when using CIL, but they are not sorted by checkpolicy when creating a policy from a policy.conf.
Checkpolicy's behavior allows control over the ordering which determines the matching order for portcons and other ocontext rules, but there are times when that specific control is not desired.
This patch set exposes an internal ocontext sorting function and adds a command line option to checkpolicy to sort ocontexts.
James Carter (2):
libsepol: Create policydb_sort_ocontexts()
checkpolicy: Add option to sort ocontexts when creating a binary
policy
checkpolicy/checkpolicy.c | 22 +++++++++++++++++-----
libsepol/include/sepol/policydb/policydb.h | 2 ++
libsepol/src/policydb.c | 5 +++++
3 files changed, 24 insertions(+), 5 deletions(-)
--
2.17.1
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
