Comment 3 for bug 387663

Revision history for this message
Steve Beattie (sbeattie) wrote : Re: [Bug 387663] Re: aa-logprof: doesn't remove redundant rules

On Tue, Jun 16, 2009 at 07:06:36PM -0000, Tom Metro wrote:
> Thanks. I figured that might be the case. Same true for /dir/ vs.
> /dir/** I presume.

Yes, the latter matches everything underneath /dir/ but not /dir/
itself.

> But what about:
>
> /video2/**/ r,
> /video2/mythtv/1024_20090131200000.mpg r,
> /video2/mythtv/1029_20090310173000.mpg r,
>
> These seem redundant, unless that first rule should be /video2/**
> without the trailing slash.

Indeed it should be /video2/** as /video2/**/ is telling it to match any
directory under /video2/. /video2/** will allow access to any files or
directories under /video2/.

You can also restrict access to just files under /video2/ with the pattern
'/video2/**[^/]', but things that need to query what directory entries
exist in each directory will need read access to the directories. An
alternative pattern where you know /video2 will be populated by only
*.mpg files and subdirectories would be '/video2/**{.mpg,/} r,'. But
that's a matter of how tight you wish the restrictions to be.

--
Steve Beattie
<email address hidden>
http://NxNW.org/~steve/