FCGlob: A New Syntax for SELinux File Contexts
Authors: Don Miner, James Athey
Don Miner, James Athey, "FCGlob: A New Syntax for SELinux File Contexts," to appear at the SELinux Symposium, Baltimore, MD, March 2007.
Abstract:
A new syntax designed to replace the usage of regular expressions in SELinux's file contexts is proposed, named FCGlob. There are several major problems with using regular expressions for file contexts, such as an approximated sorting, ambiguous declarations, common user errors, obfuscation due to cleverness and the difficulty in finding set
relationships. FCGlob is designed to address all of these problems by using a simpler syntax that is more tailored to
matching UNIX file paths. The new syntax encourages clear and simple patterns, discourages cleverness and laziness and makes it easy for a computer to analyze. In addition to fixing several problems, FCGlob also opens the
door to several enhancements. The basis for most enhancements is the use of a tree data structure as apposed to a
linear list that that is used in the current implementation of file contexts. Several benefits result from the usage of a
tree structure, such as a faster matchpathcon and the possibility for many new features. Implementing the FCGlob
prototype can be done without making any changes to libselinux by converting all the FCGlobs into regular expressions and ordering them in a linear list. This way not too much work has to be done to demonstrate the
advantages of FCGlob. If the prototype is successful and accepted it can then be integrated into libselinux as a
complete replacement.
Software Components:
fctree.py - The set tree data structure to be used with fcglob. This also contains the methods to be used on the tree, such as matchpathcon. Last updated December 26, 2006.
fcglob2re.py - This converts fcglob patterns to regular expression patterns. This is a crucial part of the prototype implementation since it provides backward compatibility with the old-style regular expression file contexts. Last updated December 26, 2006.
Documents:
Timeline and goals for the project
Outline for the SELinux Symposium paper
A specification of fcglob I wrote for Tresys
My honors thesis, which tried to solve this problem
First draft of the symposium paper (odt)
USENIX paper template, the format for symposium papers
Final draft of the symposium paper for submission (odt)
Tresys Technology, LLC
SELinux Symposium