Re: Just a quick thought.

From: Paul Howarth <paul_at_nospam>
Date: Tue Aug 04 2009 - 12:44:41 GMT
To: Daniel J Walsh <dwalsh@redhat.com>

On 04/08/09 12:20, Daniel J Walsh wrote:
> Now that we have labelling equivalence should we just add a
>
> /lib64 /lib
> /usr/lib64 /usr/lib
> /usr/local/lib64 /usr/local/lib
>
> Seems we could simplify policy and prevent many mistakes. Might speed up regex matching a little bit.

It would also remove the need for the /lib(64)? style regexes altogether, which are unfortunately close to the start of the pathname and cause these patterns to score poorly when being considered as a possible match for a filename.

> grep 64 /etc/selinux/targeted/contexts/files/file_contexts | wc
> 259 735 18694
>
>
> If were were more aggressive
>
> /usr/local /usr

That looks sane.

> /opt /usr

Don't agree with that one. /opt tends to fill with things like /opt/appname and only then the regular structure underneath there with /bin, /man etc.

Paul. -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with the words "unsubscribe selinux" without quotes as the message.

This message: [ Message body ]
Next message: Stephen Smalley: "Re: A question about selinux userspace tools"
Previous message: Stephen Smalley: "Re: A question about installing refpolicy-2.10081210"
In reply to: Daniel J Walsh: "Just a quick thought."

Contemporary messages sorted: [ By Date ] [ By Thread ] [ By Subject ] [ By Author ]