hi
I did not know, but it seems that "order" matters. Would there be a doc, howto or maybe a man page that explains importance of the order in which rules(maybe only local) appear, are processed?
if I have something like:
$ semanage fcontext -lC .... /__.aLocalStorages/0/0-SUBVERSIONs(/.*)?/db(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0 /__.aLocalStorages/0/0-SUBVERSIONs(/.*)?/locks(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0 /__.aLocalStorages/0/0-SUBVERSIONs(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
then: $ /__.aLocalStorages/0/0-SUBVERSIONs/myRepo/locks will not get "httpd_sys_rw_content_t" but I put/add them so they would be:
/__.aLocalStorages/0/0-SUBVERSIONs(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /__.aLocalStorages/0/0-SUBVERSIONs(/.*)?/db(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0 /__.aLocalStorages/0/0-SUBVERSIONs(/.*)?/locks(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0
then yes, /__.aLocalStorages/0/0-SUBVERSIONs/myRepo/locks will get "httpd_sys_rw_content_t"
I'd expect such a crucial fact would be in *bold* in man pages, but I cannot find it @centos 7.x.
.
On Tue, 2017-09-19 at 16:49 +0100, lejeczek wrote:
hi
I did not know, but it seems that "order" matters. Would there be a doc, howto or maybe a man page that explains importance of the order in which rules(maybe only local) appear, are processed?
if I have something like:
$ semanage fcontext -lC .... /__.aLocalStorages/0/0-SUBVERSIONs(/.*)?/db(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0 /__.aLocalStorages/0/0-SUBVERSIONs(/.*)?/locks(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0 /__.aLocalStorages/0/0-SUBVERSIONs(/.*)? all files system_u:object_r:httpd_sys_content_t:s0
then: $ /__.aLocalStorages/0/0-SUBVERSIONs/myRepo/locks will not get "httpd_sys_rw_content_t" but I put/add them so they would be:
/__.aLocalStorages/0/0-SUBVERSIONs(/.*)? all files system_u:object_r:httpd_sys_content_t:s0 /__.aLocalStorages/0/0-SUBVERSIONs(/.*)?/db(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0 /__.aLocalStorages/0/0-SUBVERSIONs(/.*)?/locks(/.*)? all files system_u:object_r:httpd_sys_rw_content_t:s0
then yes, /__.aLocalStorages/0/0-SUBVERSIONs/myRepo/locks will get "httpd_sys_rw_content_t"
I'd expect such a crucial fact would be in *bold* in man pages, but I cannot find it @centos 7.x.
selinux@lists.fedoraproject.org