On Dec 29, 2015 2:27 PM, "Stephen Smalley" <stephen.smal...@gmail.com> wrote: > > On Tue, Dec 29, 2015 at 3:46 PM, Roberts, William C > <william.c.robe...@intel.com> wrote: > > > > > > I was under the impression that fc entry order does not matter. That they > > are sorted based on how specific the match is.. > > > > > > > > As per: > > > > https://fedoraproject.org/wiki/SELinux/ManagingFileContext > > > > > > > > In the current Android 6.0 release, I don’t see the function sort_specs() > > anywhere in external/libselinux, or any code that sorts the fc entries. > > > > > > > > Looks like this code from 6.0: > > > > > > > > 512 /* Move exact pathname specifications to the end. */ > > > > 513 spec_copy = (spec_t *) malloc(sizeof(spec_t) * data->nspec); > > > > 514 if (!spec_copy) > > > > 515 goto finish; > > > > 516 j = 0; > > > > 517 for (i = 0; i < data->nspec; i++) > > > > 518 if (data->spec_arr[i].hasMetaChars) > > > > 519 memcpy(&spec_copy[j++], > > > > 520 &data->spec_arr[i], sizeof(spec_t)); > > > > 521 for (i = 0; i < data->nspec; i++) > > > > 522 if (!data->spec_arr[i].hasMetaChars) > > > > 523 memcpy(&spec_copy[j++], > > > > 524 &data->spec_arr[i], sizeof(spec_t)); > > > > 525 free(data->spec_arr); > > > > > > > > Was replaced with sort_specs() on upstream libselinux. > > > > > > > > Does anyone perhaps have any more light to shed? Am I way off here? > > libselinux only "sorts" in the sense of giving precedence to exact (no > regex characters) entries. The sorting described in the page you > referenced is done by libsemanage or by the fc_sort helper program > used in the refpolicy build and is not part of Android at all. That > sorting was introduced to help with ambiguities that occur when > file_contexts was split into per-module .fc files.
That's essentially the problem we have in our build. Each module is added during the build via sepolicy dirs variable. Perhaps then we should look at adding fc_sort during build? Android however > only has a single monolithic file_contexts file, and even with the > device-specific file_contexts, the assumption is that those entries > should always take precedence over the generic ones (as long as they > are not identical and conflict). So order does matter. Last matching > entry wins. > > _______________________________________________ > Seandroid-list mailing list > Seandroid-list@tycho.nsa.gov > To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. > To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
_______________________________________________ Seandroid-list mailing list Seandroid-list@tycho.nsa.gov To unsubscribe, send email to seandroid-list-le...@tycho.nsa.gov. To get help, send an email containing "help" to seandroid-list-requ...@tycho.nsa.gov.
