mirror of
https://github.com/SELinuxProject/selinux
synced 2025-03-06 02:07:34 +00:00
c00ed59281
This is a follow up fix to the restorecon change in commit 6ab5fbaabc84f7093b37c1afae855292e918090f This change has been tested in android for a while. The stem is a list of top level directory (without regex metachar) covered in the file context. And it constructs from finding the second '/' in the regex_string; and aims to speed up the lookup by skipping unnecessary regex matches. More contexts in https://lore.kernel.org/selinux/200309231522.25749.russell@coker.com.au/ However, this caused some issue when we try to find all the partial matches for a root directory. For example, the path "/data" doesn't have a stem while the regex "/data/misc/(/.*)?" has "/data" as the stem. As a result, all the regex for the subdirs of /data will not considered as a match for "/data". And the restorecon will wrongly skip on top level "/data" when there's a context change to one of subdir. This CL always includes the stem when compiling the regex in all circumstances. Also, it ignores the stem id check in the "match all" case, while the behavior for the single match stays unchanged. I will collect more data to find out if stem id check is still necessary at all with the new restorecon logic. Test: run restorecon on "/data"; change the context of one subdir and run again, and the context is restored on that subdir; search the caller of regex_match Signed-off-by: Tianjie Xu <xunchang@google.com> |
||
|---|---|---|
| checkpolicy | ||
| dbus | ||
| gui | ||
| libselinux | ||
| libsemanage | ||
| libsepol | ||
| mcstrans | ||
| policycoreutils | ||
| python | ||
| restorecond | ||
| sandbox | ||
| scripts | ||
| secilc | ||
| semodule-utils | ||
| .gitignore | ||
| .travis.yml | ||
| CleanSpec.mk | ||
| CONTRIBUTING.md | ||
| Makefile | ||
| README | ||
Please submit all bug reports and patches to selinux@vger.kernel.org. Subscribe by sending "subscribe selinux" in the body of an email to majordomo@vger.kernel.org. Build dependencies on Fedora: yum install audit-libs-devel bison bzip2-devel dbus-devel dbus-glib-devel flex flex-devel flex-static glib2-devel libcap-devel libcap-ng-devel pam-devel pcre-devel python3-devel python3-setools swig xmlto redhat-rpm-config To build and install everything under a private directory, run: make DESTDIR=~/obj install install-pywrap To install as the default system libraries and binaries (overwriting any previously installed ones - dangerous!), on x86_64, run: make LIBDIR=/usr/lib64 SHLIBDIR=/lib64 install install-pywrap relabel or on x86 (32-bit), run: make install install-pywrap relabel This may render your system unusable if the upstream SELinux userspace lacks library functions or other dependencies relied upon by your distribution. If it breaks, you get to keep both pieces. To install libsepol on macOS (mainly for policy analysis): cd libsepol; make PREFIX=/usr/local install This requires GNU coreutils (brew install coreutils).