Comment 3 for bug 387663
Revision history for this message
| Steve Beattie (sbeattie) wrote Re: [Bug 387663] Re: aa-logprof: doesn't remove redundant rules | #3 |
© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
bbfa235
(Get the code!)
On Tue, Jun 16, 2009 at 07:06:36PM -0000, Tom Metro wrote:
> Thanks. I figured that might be the case. Same true for /dir/ vs.
> /dir/** I presume.
Yes, the latter matches everything underneath /dir/ but not /dir/
itself.
> But what about:
>
> /video2/**/ r,
> /video2/
> /video2/
>
> These seem redundant, unless that first rule should be /video2/**
> without the trailing slash.
Indeed it should be /video2/** as /video2/**/ is telling it to match any
directory under /video2/. /video2/** will allow access to any files or
directories under /video2/.
You can also restrict access to just files under /video2/ with the pattern
'/video2/**[^/]', but things that need to query what directory entries
exist in each directory will need read access to the directories. An
alternative pattern where you know /video2 will be populated by only
*.mpg files and subdirectories would be '/video2/**{.mpg,/} r,'. But
that's a matter of how tight you wish the restrictions to be.
--
Steve Beattie
<email address hidden>
http://