Currently, filename transitions are stored separately from other type enforcement rules and only support exact name matching. However, in practice, the names contain variable parts. This leads to many duplicated rules in the policy that differ only in the part of the name, or it is even impossible to cover all possible combinations.
This patch reflects changes in libsepol implemented in this patch.
The patch adds additional filename transition tables to policydb structure for prefix and suffix rules and updates the functions that access them.
This is a new reimplemented version of the feature, as the previous version was not accepted by the SELinux kernel upstream.
Currently, filename transitions are stored separately from other type enforcement rules and only support exact name matching. However, in practice, the names contain variable parts. This leads to many duplicated rules in the policy that differ only in the part of the name, or it is even impossible to cover all possible combinations.
This patch reflects changes in libsepol implemented in this patch.
The patch adds additional filename transition tables to policydb structure for prefix and suffix rules and updates the functions that access them.
This is a new reimplemented version of the feature, as the previous version was not accepted by the SELinux kernel upstream.
Reviewed-by: Ondrej Mosnacek omosnace@redhat.com