On 02/24/2015 09:00 PM, 심현용 wrote:
> Dear Stephen
>
> I always thanks to your kindly help.
> I have some question about labeling of symbolic-link.
>
> I know that commit you applied labeling about symbolic link of
> devices/block/platform/.
>
> https://android.googlesource.com/platform/system/core/+/b0ab94b7d5a888f0b6920b156e5c6a075fa0741a%5E%21/
>
> this commit re-factoring method lookup_best_match like that.
> https://android.googlesource.com/platform/external/libselinux/+/be7f5e8814c4954aca51d3f95455c5d9d527658c%5E%21/
>
> So I can use in file_contexts.
> /dev/block/platform/.*/my-name
I wouldn't really recommend .* usage in such a regex, but see
device/lge/hammerhead/sepolicy/file_contexts for an example, e.g.
/dev/block/platform/msm_sdcc\.1/by-name/system
u:object_r:system_block_device:s0
That support was specifically introduced for devices because we were
told that sometimes the partition numbers could vary and only the
partition name was stable across devices, so we needed a way to specify
the label independent of a particular partition number. It is only used
by ueventd for block device labeling, and there we know up front the
real name and all of the symlink names at the point we perform the
labeling, so we can use that to make a best match.
> But, I hope also use other file path likes /sys/class/led/*/ ... (leds
> is symbolic-link)
> My devices are different path leds per device.
>
> When I use labeling /sys/class/leds/*/name , restorecon_recursive was
> stopped at leds!
> No more continue until name.
/sys/class/leds/* as a regex would mean /sys/class/leds followed by zero
or more / characters. Did you mean /sys/class/leds/.*?
> So I can only use file's full path at file_contexts each devices like that.
> ex)
> -one device
> /sys/class/leds/blue/brightness
> -the other device
> /sys/class/leds/B/brightness
>
> I hope using that .. (but restorecon_recursive will be stop at leds..)
> /sys/class/leds/*/brightness
>
> Cloud you please improve lookup_best_match method?
> If i don't understand this method, please teach me using this method.
We can't readily use the best match method for the
restorecon_recursive("/sys") because we do not have all of the names
available at one time, and we could easily end up labeling the node one
context when we visit the symlink and then relabel to a different
context when we visit the real name (or vice versa). And worse if there
are multiple symlinks to the same node.
_______________________________________________
Seandroid-list mailing list
Seandroid-list@tycho.nsa.gov
To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov.
To get help, send an email containing "help" to
seandroid-list-requ...@tycho.nsa.gov.
