63 lines
2.9 KiB
Diff
63 lines
2.9 KiB
Diff
From c556c6ad0b94cf3ba4b441a1a0930f2468434227 Mon Sep 17 00:00:00 2001
|
|
From: Vit Mojzis <vmojzis@redhat.com>
|
|
Date: Wed, 10 Feb 2021 18:05:29 +0100
|
|
Subject: [PATCH] selinux(8,5): Describe fcontext regular expressions
|
|
|
|
Describe which type of regular expression is used in file context
|
|
definitions and which flags are in effect.
|
|
|
|
Explain how local file context modifications are processed.
|
|
|
|
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
|
|
Acked-by: Petr Lautrbach <plautrba@redhat.com>
|
|
---
|
|
python/semanage/semanage | 2 +-
|
|
python/semanage/semanage-fcontext.8 | 18 ++++++++++++++++++
|
|
2 files changed, 19 insertions(+), 1 deletion(-)
|
|
|
|
diff --git a/python/semanage/semanage b/python/semanage/semanage
|
|
index 781e8645..ebb93ea5 100644
|
|
--- a/python/semanage/semanage
|
|
+++ b/python/semanage/semanage
|
|
@@ -366,7 +366,7 @@ If you do not specify a file type, the file type will default to "all files".
|
|
parser_add_seuser(fcontextParser, "fcontext")
|
|
parser_add_type(fcontextParser, "fcontext")
|
|
parser_add_range(fcontextParser, "fcontext")
|
|
- fcontextParser.add_argument('file_spec', nargs='?', default=None, help=_('file_spec'))
|
|
+ fcontextParser.add_argument('file_spec', nargs='?', default=None, help=_('Path to be labeled (may be in the form of a Perl compatible regular expression)'))
|
|
fcontextParser.set_defaults(func=handleFcontext)
|
|
|
|
|
|
diff --git a/python/semanage/semanage-fcontext.8 b/python/semanage/semanage-fcontext.8
|
|
index 561123af..49635ba7 100644
|
|
--- a/python/semanage/semanage-fcontext.8
|
|
+++ b/python/semanage/semanage-fcontext.8
|
|
@@ -11,6 +11,24 @@ SELinux policy without requiring modification to or recompilation
|
|
from policy sources. semanage fcontext is used to manage the default
|
|
file system labeling on an SELinux system. This command maps file paths using regular expressions to SELinux labels.
|
|
|
|
+FILE_SPEC may contain either a fully qualified path,
|
|
+or a Perl compatible regular expression (PCRE),
|
|
+describing fully qualified path(s). The only PCRE flag in use is PCRE2_DOTALL,
|
|
+which causes a wildcard '.' to match anything, including a new line.
|
|
+Strings representing paths are processed as bytes (as opposed to Unicode),
|
|
+meaning that non-ASCII characters are not matched by a single wildcard.
|
|
+
|
|
+Note, that file context definitions specified using 'semanage fcontext'
|
|
+(i.e. local file context modifications stored in file_contexts.local)
|
|
+have higher priority than those specified in policy modules.
|
|
+This means that whenever a match for given file path is found in
|
|
+file_contexts.local, no other file context definitions are considered.
|
|
+Entries in file_contexts.local are processed from most recent one to the oldest,
|
|
+with first match being used (as opposed to the most specific match,
|
|
+which is used when matching other file context definitions).
|
|
+All regular expressions should therefore be as specific as possible,
|
|
+to avoid unintentionally impacting other parts of the filesystem.
|
|
+
|
|
.SH "OPTIONS"
|
|
.TP
|
|
.I \-h, \-\-help
|
|
--
|
|
2.29.2
|
|
|