Vit Mojzis <vmojzis@xxxxxxxxxx> writes:
> Describe which type of regular expression is used in file context
> definitions and which flags are in effect.
>
> Explain how local file context modifications are processed.
>
> Signed-off-by: Vit Mojzis <vmojzis@xxxxxxxxxx>
Acked-by: Petr Lautrbach <plautrba@xxxxxxxxxx>
> ---
>
> libselinux/man/man5/selabel_file.5 | 9 ++++++++-
> python/semanage/semanage | 2 +-
> python/semanage/semanage-fcontext.8 | 18 ++++++++++++++++++
> 3 files changed, 27 insertions(+), 2 deletions(-)
>
> diff --git a/libselinux/man/man5/selabel_file.5 b/libselinux/man/man5/selabel_file.5
> index e97bd826..baba7776 100644
> --- a/libselinux/man/man5/selabel_file.5
> +++ b/libselinux/man/man5/selabel_file.5
> @@ -125,7 +125,14 @@ Where:
> .RS
> .I pathname
> .RS
> -An entry that defines the pathname that may be in the form of a regular expression.
> +An entry that defines the path to be labeled.
> +May contain either a fully qualified path,
> +or a Perl compatible regular expression (PCRE),
> +describing fully qualified path(s).
> +The only PCRE flag in use is PCRE2_DOTALL,
> +which causes a wildcard '.' to match anything, including a new line.
> +Strings representing paths are processed as bytes (as opposed to Unicode),
> +meaning that non-ASCII characters are not matched by a single wildcard.
> .RE
> .I file_type
> .RS
> diff --git a/python/semanage/semanage b/python/semanage/semanage
> index 125271df..18a27105 100644
> --- a/python/semanage/semanage
> +++ b/python/semanage/semanage
> @@ -379,7 +379,7 @@ If you do not specify a file type, the file type will default to "all files".
> parser_add_seuser(fcontextParser, "fcontext")
> parser_add_type(fcontextParser, "fcontext")
> parser_add_range(fcontextParser, "fcontext")
> - fcontextParser.add_argument('file_spec', nargs='?', default=None, help=_('file_spec'))
> + fcontextParser.add_argument('file_spec', nargs='?', default=None, help=_('Path to be labeled (may be in the form of a Perl compatible regular expression)'))
> fcontextParser.set_defaults(func=handleFcontext)
>
>
> diff --git a/python/semanage/semanage-fcontext.8 b/python/semanage/semanage-fcontext.8
> index 561123af..49635ba7 100644
> --- a/python/semanage/semanage-fcontext.8
> +++ b/python/semanage/semanage-fcontext.8
> @@ -11,6 +11,24 @@ SELinux policy without requiring modification to or recompilation
> from policy sources. semanage fcontext is used to manage the default
> file system labeling on an SELinux system. This command maps file paths using regular expressions to SELinux labels.
>
> +FILE_SPEC may contain either a fully qualified path,
> +or a Perl compatible regular expression (PCRE),
> +describing fully qualified path(s). The only PCRE flag in use is PCRE2_DOTALL,
> +which causes a wildcard '.' to match anything, including a new line.
> +Strings representing paths are processed as bytes (as opposed to Unicode),
> +meaning that non-ASCII characters are not matched by a single wildcard.
> +
> +Note, that file context definitions specified using 'semanage fcontext'
> +(i.e. local file context modifications stored in file_contexts.local)
> +have higher priority than those specified in policy modules.
> +This means that whenever a match for given file path is found in
> +file_contexts.local, no other file context definitions are considered.
> +Entries in file_contexts.local are processed from most recent one to the oldest,
> +with first match being used (as opposed to the most specific match,
> +which is used when matching other file context definitions).
> +All regular expressions should therefore be as specific as possible,
> +to avoid unintentionally impacting other parts of the filesystem.
> +
> .SH "OPTIONS"
> .TP
> .I \-h, \-\-help
> --
> 2.29.2
