7.2 deny

1. Syntax
   deny filename;
2. Meaning
   This is used to describe constraints for allow and, also used to cancel allow.
3. Example
   1. Example 1: Describe constraints
      

      *In file constraints
      deny /etc/shadow;
      
      *In httpd_t.a
      {
      domain httpd_t;
      include constraints;
      allow /etc/* r,s; 
      }
      

      By include constraints; configuration in file constrains is included . So, the above configuration is the same as following.

      {
      domain httpd_t;
      include constraints;
      deny   /etc/shadow;
      allow /etc/* r,s;
      }
      

      This means, httpd_t have r,s permission to files in /etc. But can not access /etc/shadow. To allow access to /etc/shadow, allow /etc/shadow r,s; should be described explicitly. Deny is useful to prevent misconfiguration.

   2. Example 2: Cancel allow
      

      {
      domain httpd_t;
      allow /etc/* r,s;
      deny /etc;
      

      allow /etc/* r,s; is cancelled by deny /etc;