On Tue, 2017-09-19 at 16:49 +0100, lejeczek wrote: > hi > > I did not know, but it seems that "order" matters. > Would there be a doc, howto or maybe a man page that > explains importance of the order in which rules(maybe only > local) appear, are processed? > > if I have something like: > > $ semanage fcontext -lC > .... > /__.aLocalStorages/0/0-SUBVERSIONs(/.*)?/db(/.*)? all > files system_u:object_r:httpd_sys_rw_content_t:s0 > /__.aLocalStorages/0/0-SUBVERSIONs(/.*)?/locks(/.*)? all > files system_u:object_r:httpd_sys_rw_content_t:s0 > /__.aLocalStorages/0/0-SUBVERSIONs(/.*)? all > files system_u:object_r:httpd_sys_content_t:s0 > > then: > $ /__.aLocalStorages/0/0-SUBVERSIONs/myRepo/locks will not > get "httpd_sys_rw_content_t" > but I put/add them so they would be: > > /__.aLocalStorages/0/0-SUBVERSIONs(/.*)? all > files system_u:object_r:httpd_sys_content_t:s0 > /__.aLocalStorages/0/0-SUBVERSIONs(/.*)?/db(/.*)? all > files system_u:object_r:httpd_sys_rw_content_t:s0 > /__.aLocalStorages/0/0-SUBVERSIONs(/.*)?/locks(/.*)? all > files system_u:object_r:httpd_sys_rw_content_t:s0 > > then yes, /__.aLocalStorages/0/0-SUBVERSIONs/myRepo/locks > will get "httpd_sys_rw_content_t" > > I'd expect such a crucial fact would be in *bold* in man > pages, but I cannot find it @centos 7.x. https://bugzilla.redhat.com/show_bug.cgi?id=678577 _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx
