The way readdir lookups work is the inode for the entry in the directory you're listing is looked up in the RBAC policy (using the device number of the parent directory)
It begins with the specific subject for the binary and works back through subjects it inherits from if a match isn't found.
If a specific match for that file still isn't found, then a lookup is performed on the directory being listed. If for the match generated there is no attached globbed object (for instance, the globbed object /home/* gets attached to the /home object, since /home is the greatest static match for the object), then the results of that match are returned.
If for the match found there are attached globbed objects, as would be the case here due to the /home/* rule, then the full pathname for the file being looked up is generated and each of the attached globbed objects are matched against the filename. The first match determines the result.
If no match is found among the globbed objects, then the result is based off the match for the lookup of the directory being listed.
So, from this description, Your /home/users rule should have been matched at the very first inode/device check.
The only thing that I can think of that would cause a problem like the one you described would involve mountpoints. If the directory according to the readdir call had to do with /home as it exists on the / filesystem instead of the root of the filesystem mounted at /home, then the wrong device number might be used for the check. If you can mail me at
[email protected] and give me a list of mountpoints on your system, I can give you some things to add to your kernel to help debug the problem.
-Brad