7.3 Priority of allow, deny when conflict happens

1. OR operation(When allow conflicts)
   When allow rule conflicts, OR operation is applied.
   
   • Example

     domain foo_t;
     allow /var/** r;
     allow /var/** s;
     

     foo_t have r,s permission to under /var.

     domain foo_t;
     allow /var/run/* r;
     allow /var/run/** w;
     

     foo_t have r permission to in /var. But for sub-directory(/var/run/xxx etc), it has w permission.

   • Conflict between child and parent

     domain foo_t;
     allow /var/** r;
     allow /var/run/** w;
     

     foo_t have r permission to under /var(including subdir). For /var/run , it has only w permission.

2. Cancel previous configuration(When allow/deny conflicts)
   When allow and deny conflicts, configuration that appears later survives.
   • Example

     domain foo_t;
     allow /foo/* r,s;
     deny  /foo/* ;
     

     allow /foo/* r,s is cancelled.

     domain foo_t;
     deny  /foo/* ;
     allow /foo/* r,s;
     

     deny /foo/* is cancelled.

     domain foo_t;
     allow  /foo/bar/** r,s;
     deny   /foo/** ;
     

     allow /foo/bar/** r,s is cancelled.

   • Exception
     However,

     domain foo_t;
     deny  /foo/bar/**;
     allow /foo/** r,s;
     

     deny /foo/bar/** is not cancelled. To cancel deny, you have to describe allow for denied directory(in this case, allow /foo/bar some_permission;)