Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp1285907ybl;
        Wed, 21 Aug 2019 12:59:19 -0700 (PDT)
X-Google-Smtp-Source: APXvYqwC0FNZgXKj40WdDsu3UepDwDWiRfGgcmdJ8o03597N2xd7agG9j2viW09scTKT4pRNoVjy
X-Received: by 2002:a62:cd45:: with SMTP id o66mr38127440pfg.112.1566417559421;
        Wed, 21 Aug 2019 12:59:19 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1566417559; cv=none;
        d=google.com; s=arc-20160816;
        b=qf94QEChNg+LvXgtrOA5LwkhNSx0xWVuE1XEz3OFkjNtd7wDodVBcY43TDy75QZuAZ
         1Cfs5BV4yskh4NO2F1bnarM89EpXcYA5cIuNPYGNhOudLEwvUssQ7B8keReZWgLIhxZM
         VFgT4Samox4zifmsptHF1qZ58TfwR3jH+yfLOrqtVCvffy98xuVU94QOyVAWhTZYzJno
         Ua1+tJQ1WfoK0cO8WQtwQOPUUlqLhaxka5sYBCH59nvcIgCvJCctYuVl7CsBZ3Kwh5R7
         ByOwDSEaBLa/ZdcB5LHrDQM6CYM2MrAFlGvOPkl9acEpUHkPOUN6pYX9u7Ex2Vr2ip5d
         I4AQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:to:subject:message-id:date:from
         :mime-version;
        bh=ByRGorrL51pmeWmge6uAMdnnoVv0Eu4Y3J6i6Qub0x4=;
        b=htPFukhJkg/7GZBF5sEZQwKx2TlIBQxE7SsmZksiQf9nVtnQdZlgi/bFdCZr3jUBxG
         GYhqTGw5Tp0Z4hWTq3+svTYWQtxnGB6N298l+90sB2HBGMoQ4dCrGfYzdS/LzZnhpWr/
         /IM/m8O2fnx87/0H8QaPNwJE1EnGgscy9xiCgC/d5SUFzyHeq/zx/G02SxHxhvOoC+w/
         +ghomxUDwtLhWbWkNv1G0ARYJdH5p2F+1+GMtGU18BdytOogfDSGBaMDxQMg13MLR65z
         vPyPpkCfhmjKKCJvUASJo6Hk9E4Cw0e42UMZB2MagSGVNQb3yjKnAkFx0fQFMuGjIWnF
         jF+g==
ARC-Authentication-Results: i=1; mx.google.com;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Return-Path: <selinux-refpolicy-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id 60si15485942plb.16.2019.08.21.12.59.14;
        Wed, 21 Aug 2019 12:59:19 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1730022AbfHUT5a (ORCPT <rfc822;linux.lists.archive@gmail.com>
        + 11 others); Wed, 21 Aug 2019 15:57:30 -0400
Received: from mx1.polytechnique.org ([129.104.30.34]:57218 "EHLO
        mx1.polytechnique.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org
        with ESMTP id S1729854AbfHUT5a (ORCPT
        <rfc822;selinux-refpolicy@vger.kernel.org>);
        Wed, 21 Aug 2019 15:57:30 -0400
Received: from mail-ot1-f43.google.com (mail-ot1-f43.google.com [209.85.210.43])
        (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits))
        (No client certificate requested)
        by ssl.polytechnique.org (Postfix) with ESMTPSA id 35B365646FA
        for <selinux-refpolicy@vger.kernel.org>; Wed, 21 Aug 2019 21:57:27 +0200 (CEST)
Received: by mail-ot1-f43.google.com with SMTP id c34so3230794otb.7
        for <selinux-refpolicy@vger.kernel.org>; Wed, 21 Aug 2019 12:57:27 -0700 (PDT)
X-Gm-Message-State: APjAAAVz1X+/u4749EphaNaaeJ1K++y+RJZGbcVoN14Vb3X4jr8YXgWl
        kyUjpxeIfJ5e/+jEgY89ghpTYN7RaZ9YnTBrWZw=
X-Received: by 2002:a9d:6e93:: with SMTP id a19mr29044974otr.29.1566417446256;
 Wed, 21 Aug 2019 12:57:26 -0700 (PDT)
MIME-Version: 1.0
From:   Nicolas Iooss <nicolas.iooss@m4x.org>
Date:   Wed, 21 Aug 2019 21:57:14 +0200
X-Gmail-Original-Message-ID: <CAJfZ7=krh_TaCBQzFxLM394Sc5-82ZO0DdcfvWON-RXu-wqBVw@mail.gmail.com>
Message-ID: <CAJfZ7=krh_TaCBQzFxLM394Sc5-82ZO0DdcfvWON-RXu-wqBVw@mail.gmail.com>
Subject: Why is /usr/include matched with /usr/inclu.e?
To:     selinux-refpolicy@vger.kernel.org
Content-Type: text/plain; charset="UTF-8"
X-AV-Checked: ClamAV using ClamSMTP at svoboda.polytechnique.org (Wed Aug 21 21:57:27 2019 +0200 (CEST))
X-Spam-Flag: No, tests=bogofilter, spamicity=0.008340, queueID=A91D9564842
X-Org-Mail: nicolas.iooss.2010@polytechnique.org
Sender: selinux-refpolicy-owner@vger.kernel.org
Precedence: bulk
List-ID: <selinux-refpolicy.vger.kernel.org>
X-Mailing-List: selinux-refpolicy@vger.kernel.org

Hi all,

While checking the patterns in refpolicy, I stumbled upon the
following line in
https://github.com/SELinuxProject/refpolicy/blob/RELEASE_2_20190609/policy/modules/kernel/files.fc#L200

/usr/inclu.e(/.*)? gen_context(system_u:object_r:usr_t,s0)

This pattern matches /usr/include and its content, but why is a dot
used? Which other directories can it match?

The issue there is that a dot can match a slash, so the pattern also
matches /usr/inclu/e/, which seems strange. This pattern has been
introduced in the very early days of refpolicy's git repository,
according to https://github.com/SELinuxProject/refpolicy/commit/f8ec0ad43b54437e2d9f0e48a773a64dbd9e543c#diff-e333cb52d2139f7a71f0dfbd32c06f70R117.
Does anyone remember why the pattern for /usr/include is so special?

Thanks,
Nicolas