On Thu, 2006-03-30 at 09:13 -0800, alan wrote: > On Thu, 30 Mar 2006, Stephen Smalley wrote: > > >> In FC5 we have > >> > >> /usr(/.*)?/nvidia/.*\.so(\..*)? -- > >> gen_context(system_u:object_r:textrel_shlib_t,s0) > > > > Looks like it is being overriden by a later entry in file_contexts: > > /usr(/.*)?/lib(64)?/.*\.so(\.[^/]*)* -- system_u:object_r:shlib_t > > Is there a way to log an error when an overlap like this occurs? Such overlap is a normal part of file_contexts; you put more general expressions first to provide defaults (e.g. mapping everything with no matching spec to default_t via /.*, mapping all .so files under /usr/lib not otherwise specified to lib_t via the regex above, etc) and then provide more specific refinements. There is an improved sorting algorithm coming for file_contexts, but it can't do much when you have two roughly equally generic regexes like the above two - which is more specific? Fully specified paths (no regexes) always win, of course. -- Stephen Smalley National Security Agency
