The actuall algorithm was then to take /etc/selinux/targeted/contexts/file_cont
With the introduction of loadable modules this all changed. We no longer keep all of the file contexts in one RPM package. So we needed a mechanism for "sorting" the file context. Understanding the sorting algorithm is critical to making sure your policy and file_contexts gets added to the system correctlyand files get put on disk with the correct file context.
Christopher Ashworth of Tresys, sent a couple of Emails to the Fedora-SELinux list that explains the algorithm.
The sorting algorithm is based on the following heuristics, applied in this order:
When comparing two file contexts A and B...
- if A is a regular expression and B is not, A is less specific than B
- if A's stem length (the number of characters before the first regular expression wildcard) is shorter than B's stem length, A is less specific than B
"Wildcard" isn't the best word to use here. "Meta character" is better.- if A's string length (the entire length of the file context string) is shorter than B's string length, A is less specific than B
They include:
. ^ $ ? * + | [ ( {
- if A does not have a specified type and B does, A is less specific than B.
- else, they are considered equally specific.
These are the same heuristics applied to file contexts when building reference policy.
The sort is implemented as a stable iterative mergesort.
Understanding this algorithm is critical to writing good policy.
Modules