The order of policy rules in SELinux policies

jwcart2

2018-12-03 16:47:28 UTC

Post by a***@gmail.com
I wonder if the order of rules (i.e., the arrangement of rules) in SELinux policies are important or not. For example, putting constrain rules before or after certain allow rules can change the decision of the policy?

The order of policy rules will not effect access decisions, so it does not
matter whether a constrain rule or allow rule comes first.

If you build a policy using a policy.conf file and checkpolicy, then there is a
particular order that all the rules must be in, but most people will not be
building policy that way.

The order of labeling rules such as portcon and file contexts can be important,
but they are sorted automatically when using the normal policy tools to put the
rules in a logical and consistent order.

Post by a***@gmail.com
_______________________________________________
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines

--
James Carter <***@tycho.nsa.gov>
National Security Agency
_______________________________________________
selinux mailing list -- ***@lists.fedoraproject.org
To unsubscribe send an email to selinux-***@lists.fedoraproject.org
Fedora Code of Conduct: https://getfedora.org/code-of-conduct.html
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/***@lists.fedoraproject.