FCGlob Specification Paper for the SELinux Symposium Presentation Don Miner The purpose of this paper is to meet the requirements of the SELinux Symposium paper guidelines. A more in-depth paper with proofs, explicit descriptions of the algorithms and more insight on how to push the edge of efficiency would be needed. + Abstract + Introduction - Explanation of how the current file context system works - The problems with the current implementation (examples for each) - How the new syntax addresses these issues - Explanation of the immediate additional benefits and features - Some example ways applications could leverage these features * A faster matchpathcon. * A faster setfiles. * The ability for a user to query with a fcglob and have it return the union of all subsets: "matchdircon"? * The ability to dynamically insert new contexts without having to regenerate the entire graph (semanage?). + Description of the syntax - Goals of the syntax * Expressive enough to get the job done. * Not expressive enough to allow for cleverness. * Easy to learn (everyone knows globbing, not everyone knows RE). * Easy for a computer to analyze subset between two fcglobs. - Quick actual syntax specification - Restrictions that are not obviously part of the syntax * Only one '*' aloud per directory. * Only one '**' aloud per line. - Couple examples of actual current file contexts into fcglobs * one in wihch we would have to split up into several lines. - Self-evaluation of how the syntax performs agains the goals set * For the "easy for a computer to analyze subset" goal, explain the algorithm briefly. + Description of the graphs - Explanation of why a graph makes more sense than a linear list - The subset graph * What it is used for. * How (graph traversal) it is used, briefly. - Others?? (dichotomous key) * What it is used for. * How (graph traversal) it is used, briefly. + Actual implementation - Conversion of the existing file contexts * Automatic coversions. * Manual conversions. * Ambiguous file context expansions. - The overlay implementation * Modification to the policy and the build process. * The fcglob graph can be translated into a linear file_context file with regexps in it so no changes have to be made to libselinux. * Results, does it fix the problems expressed in the introduction? (may not be done in time for final paper, but would be for presentation) - The completely integrated implementation * Explain what would have to be done if the graph was queried from libselinux directly.