From 3ea3d3b103855ca46a1e1557b0017820bbc4e800 Mon Sep 17 00:00:00 2001
From: "Chris St. Pierre" <chris.a.st.pierre@gmail.com>
Date: Wed, 1 Aug 2012 11:27:15 -0400
Subject: added docs about conflicting ACLs and permissions

---
 doc/server/plugins/generators/rules.txt | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

(limited to 'doc')

diff --git a/doc/server/plugins/generators/rules.txt b/doc/server/plugins/generators/rules.txt
index 0b143dcd6..107ec148a 100644
--- a/doc/server/plugins/generators/rules.txt
+++ b/doc/server/plugins/generators/rules.txt
@@ -376,6 +376,22 @@ It is not currently possible to manually set an effective rights mask;
 the mask will be automatically calculated from the given ACLs when
 they are applied.
 
+Note that it is possible to set ACLs that demand different permissions
+on a file than those specified in the ``perms`` attribute on the
+``Path`` tag.  For instance:
+
+.. code-block:: xml
+
+    <Path name="/etc/foo" perms="0644" group="root" owner="root">
+      <ACL type="access" scope="user" user="foouser" perms="rwx"/>
+    </Path>
+
+In this case, we've specified permissions of ``0644``, but the
+effective rights mask will be "rwx," so setting the ACL will change
+the permissions to ``0674``.  When this happens, Bcfg2 will change the
+permissions and set the ACLs on every run and the entry will be
+eternally marked as bad.
+
 SELinux Tag
 -----------
 
-- 
cgit v1.2.3-1-g7c22