On Wed, 2007-08-08 at 13:45 -0500, Jason L Tibbitts III wrote: > >>>>> "FT" == Forrest Taylor <ftaylor@xxxxxxxxxx> writes: > > FT> Do a -l to list it, and use grep to match your rule ;o) > > I was trying to see if an fcontext pattern actually matched any files > in the filesystem. Actually I'd like to know something more specific: > if it actually has any effect. It could be covered by another rule. > > An example: I see a AVC denial on one file, add a rule to change the > context on that file and realize later that I need a rule matching the > whole directory. A week later and I'm cleaning up; can I really > delete that first rule? There are a whole lot of fcontext rules; how > do I know it really doesn't have any effect? In that specific example, you could remove the file rule and use restorecon to verify that it works as expected. It is rather difficult to determine the file context without using some empirical evidence. Note that file_type_auto_trans could also come into play here negating the fcontext rules. Forrest
Attachment:
signature.asc
Description: This is a digitally signed message part
-- fedora-selinux-list mailing list fedora-selinux-list@xxxxxxxxxx https://www.redhat.com/mailman/listinfo/fedora-selinux-list
