On Wed, Sep 2, 2020 at 2:54 AM 李武刚 <liwugang@xxxxxxx> wrote: > > > At 2020-09-01 20:39:55, "Stephen Smalley" <stephen.smalley.work@xxxxxxxxx> wrote: > >I'm not sure this works the way you intend. /data/(.*)? is a full > >match for /data/backup. Do you want to stop there and not include > >/data/backup(/.*)? This also changes behavior of an existing API/ABI > >in an incompatible manner. > > > > My original intention is that /data/backup(/.*)? is always after /data/(.*)?, traversing from > back to front, The /data/backup(/.*)? will first be meet the condition. > But after checking the code, the function sort_specs don't sort the entries. just put the entries > with the meta characters in the front. So it can't guarantee the sequence I want. > I think I also need add the function to sort the entries. Typically the policy runs a helper (fc_sort) to sort the file_contexts based on a set of rules, and upstream performs sorting in libsemanage (semanage_fc_sort()) when generating file_contexts. So it might work but you need to confirm that the sorting rules are guaranteed to yield the right behavior. What if there are meta-characters at the beginning or middle of the pathname and not just the end?
