On 12/1/18 11:46 PM, amir.imen@xxxxxxxxx wrote:
I wonder if the order of rules (i.e., the arrangement of rules) in SELinux policies are important or not. For example, putting constrain rules before or after certain allow rules can change the decision of the policy?
The order of policy rules will not effect access decisions, so it does not matter whether a constrain rule or allow rule comes first.
If you build a policy using a policy.conf file and checkpolicy, then there is a particular order that all the rules must be in, but most people will not be building policy that way.
The order of labeling rules such as portcon and file contexts can be important, but they are sorted automatically when using the normal policy tools to put the rules in a logical and consistent order.
_______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx
-- James Carter <jwcart2@xxxxxxxxxxxxx> National Security Agency _______________________________________________ selinux mailing list -- selinux@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to selinux-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/selinux@xxxxxxxxxxxxxxxxxxxxxxx