Hello Christian and SELinux developers, I observed 3.8-rc1 introduced an incompatible change that appears to be a regression regarding how file_contexts matching rules are applied when multiple rules match the same path. Before 3.8-rc1, when multiple rules matched a path, the last matching rule in the file_contexts file was applied. However, in 3.8-rc1, the rule precedence has changed, and the chosen rule is no longer easily predictable. I think we should keep the older version's precedence rule to avoid breaking existing rules. This is a real-world example from Android: > /system(/.*)? u:object_r:system_file:s0 > /(vendor|system/vendor)(/.*)? u:object_r:vendor_file:s0 Before 3.8-rc1, the second rule was applied to /system/vendor because it was the last matching rule. However, with 3.8-rc1, the first rule is applied instead. In 3.8-rc1, the rules appear to be sorted by decreasing regex string length, leading to this incompatible behavior. Furthermore, the new behavior, where the longest rule is supposedly prioritized, isn't consistently applied either. Consider these rules below. Even though the second rule is longer, the first rule is applied to /foo/bar. This is because now the node for `foo` is processed first. > /foo/b.* u:object_r:b_something_file:s0 > /(foo|baz)/bar u:object_r:bar_file:s0 I think we would want to preserve the original line numbers of rules and pick the largest one in each prefix node. After that, maybe we should match remaining rules of the root node to check if there are matching rules of even larger line numbers. This is the regression I mentioned in https://lore.kernel.org/selinux/CAH9xa6ct0Zf+vg6H6aN9aYzsAPjq8dYM7aF5Sw2eD31cFQ9BZA@xxxxxxxxxxxxxx/ Thanks, Takaya