SELinux Policy Editor supports the concept of ¡ÈInheritance of permissions¡É in the access control to directories. If you do not allow permissions to be inherited by subdirectories when you define the access controls to a directory, defined access controls are inherited by only files under the directory. If you allow the inheritance, defined access controls are inherited by files and subdirectories under the directory.
If the permissions granted to the parent directory overlap with the permissions granted to the child directory, the permissions granted to child directory are taken precedence. This rule is effective even if you allow the inheritance of permissions.
For example, if you grant ¡Èhttpd_t¡É domain write-access to ¡È/etc/rc.d¡É directory and read-access to ¡È/etc¡É directory, ¡Èhttpd_t¡É domain can write-access to ¡È/etc/rc.d¡É directory.
For example, in the case of denying ¡Èglobal¡É domain to access ¡È/etc/rc.d¡É directory, even if you grant ¡Èhttpd_t¡É domain read-access to ¡È/etc¡É directory, ¡Èhttpd_t¡É domain can¡Çt access ¡È/etc/rc.d¡É directory.
For example, if you grant ¡Èhttpd_t¡É domain write-access to ¡È/etc/rc.d¡É directory without allowing the inheritance and read-access to ¡È/etc¡É directory with allowing the inheritance, ¡Èhttpd_t¡É domain can only read ¡È/etc/rc.d/init.d/httpd¡É.