On Wed, 2007-08-08 at 13:45 -0500, Jason L Tibbitts III wrote:
"FT" == Forrest Taylor ftaylor@redhat.com writes:
FT> Do a -l to list it, and use grep to match your rule ;o)
I was trying to see if an fcontext pattern actually matched any files in the filesystem. Actually I'd like to know something more specific: if it actually has any effect. It could be covered by another rule.
An example: I see a AVC denial on one file, add a rule to change the context on that file and realize later that I need a rule matching the whole directory. A week later and I'm cleaning up; can I really delete that first rule? There are a whole lot of fcontext rules; how do I know it really doesn't have any effect?
In that specific example, you could remove the file rule and use restorecon to verify that it works as expected. It is rather difficult to determine the file context without using some empirical evidence. Note that file_type_auto_trans could also come into play here negating the fcontext rules.
Forrest