Petr Lautrbach <plautrba@xxxxxxxxxx> writes:
> Vit Mojzis <vmojzis@xxxxxxxxxx> writes:
>
>> Describe which type of regular expression is used in file context
>> definitions and which flags are in effect.
>>
>> Explain how local file context modifications are processed.
>>
>> Signed-off-by: Vit Mojzis <vmojzis@xxxxxxxxxx>
>
> Acked-by: Petr Lautrbach <plautrba@xxxxxxxxxx>
Merged, thanks!
>> ---
>>
>> libselinux/man/man5/selabel_file.5 | 9 ++++++++-
>> python/semanage/semanage | 2 +-
>> python/semanage/semanage-fcontext.8 | 18 ++++++++++++++++++
>> 3 files changed, 27 insertions(+), 2 deletions(-)
>>
>> diff --git a/libselinux/man/man5/selabel_file.5 b/libselinux/man/man5/selabel_file.5
>> index e97bd826..baba7776 100644
>> --- a/libselinux/man/man5/selabel_file.5
>> +++ b/libselinux/man/man5/selabel_file.5
>> @@ -125,7 +125,14 @@ Where:
>> .RS
>> .I pathname
>> .RS
>> -An entry that defines the pathname that may be in the form of a regular expression.
>> +An entry that defines the path to be labeled.
>> +May contain either a fully qualified path,
>> +or a Perl compatible regular expression (PCRE),
>> +describing fully qualified path(s).
>> +The only PCRE flag in use is PCRE2_DOTALL,
>> +which causes a wildcard '.' to match anything, including a new line.
>> +Strings representing paths are processed as bytes (as opposed to Unicode),
>> +meaning that non-ASCII characters are not matched by a single wildcard.
>> .RE
>> .I file_type
>> .RS
>> diff --git a/python/semanage/semanage b/python/semanage/semanage
>> index 125271df..18a27105 100644
>> --- a/python/semanage/semanage
>> +++ b/python/semanage/semanage
>> @@ -379,7 +379,7 @@ If you do not specify a file type, the file type will default to "all files".
>> parser_add_seuser(fcontextParser, "fcontext")
>> parser_add_type(fcontextParser, "fcontext")
>> parser_add_range(fcontextParser, "fcontext")
>> - fcontextParser.add_argument('file_spec', nargs='?', default=None, help=_('file_spec'))
>> + fcontextParser.add_argument('file_spec', nargs='?', default=None, help=_('Path to be labeled (may be in the form of a Perl compatible regular expression)'))
>> fcontextParser.set_defaults(func=handleFcontext)
>>
>>
>> diff --git a/python/semanage/semanage-fcontext.8 b/python/semanage/semanage-fcontext.8
>> index 561123af..49635ba7 100644
>> --- a/python/semanage/semanage-fcontext.8
>> +++ b/python/semanage/semanage-fcontext.8
>> @@ -11,6 +11,24 @@ SELinux policy without requiring modification to or recompilation
>> from policy sources. semanage fcontext is used to manage the default
>> file system labeling on an SELinux system. This command maps file paths using regular expressions to SELinux labels.
>>
>> +FILE_SPEC may contain either a fully qualified path,
>> +or a Perl compatible regular expression (PCRE),
>> +describing fully qualified path(s). The only PCRE flag in use is PCRE2_DOTALL,
>> +which causes a wildcard '.' to match anything, including a new line.
>> +Strings representing paths are processed as bytes (as opposed to Unicode),
>> +meaning that non-ASCII characters are not matched by a single wildcard.
>> +
>> +Note, that file context definitions specified using 'semanage fcontext'
>> +(i.e. local file context modifications stored in file_contexts.local)
>> +have higher priority than those specified in policy modules.
>> +This means that whenever a match for given file path is found in
>> +file_contexts.local, no other file context definitions are considered.
>> +Entries in file_contexts.local are processed from most recent one to the oldest,
>> +with first match being used (as opposed to the most specific match,
>> +which is used when matching other file context definitions).
>> +All regular expressions should therefore be as specific as possible,
>> +to avoid unintentionally impacting other parts of the filesystem.
>> +
>> .SH "OPTIONS"
>> .TP
>> .I \-h, \-\-help
>> --
>> 2.29.2
