| Message ID | 20200709090352.1681563-1-dominick.grift@defensec.nl (mailing list archive) |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [SELinux-notebook] avc_rules.md: mention secilc with the neverallow statement | expand |
On Thu, 2020-07-09 at 11:03 +0200, Dominick Grift wrote: > I was unable to determine whether checkpolicy can be told to disable > neverallow checking. > > Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> > --- > src/avc_rules.md | 4 +++- > 1 file changed, 3 insertions(+), 1 deletion(-) > > diff --git a/src/avc_rules.md b/src/avc_rules.md > index a9dead5..7e62d04 100644 > --- a/src/avc_rules.md > +++ b/src/avc_rules.md > @@ -182,8 +182,9 @@ auditallow ada_t self:process execstack; > > This rule specifies that an `allow` rule must not be generated for > the > operation, even if it has been previously allowed. The `neverallow` > -statement is a compiler enforced action, where the > ***checkpolicy**(8)* or > +statement is a compiler enforced action, where the > ***checkpolicy**(8)*, > ***checkmodule**(8)* <a href="#fna1" class="footnote-ref" > id="fnavc1"><sup>1</sup></a> > +or ***secilc**(8)* <a href="#fna2" class="footnote-ref" > id="fnavc2"><sup>2</sup></a> > compiler checks if any allow rules have been generated in the policy > source, > if so it will issue a warning and stop. > > @@ -211,6 +212,7 @@ neverallow { domain -mmap_low_domain_type } > self:memprotect mmap_zero; > <section class="footnotes"> > <ol> > <li id="fna1"><p><code>neverallow</code> statements are allowed in > modules, however to detect these the <em>semanage.conf</em> file must > have the 'expand-check=1' entry present.<a href="#fnavc1" > class="footnote-back">↩</a></p></li> > +<li id="fna2"><p>The `--disable-neverallow` option can be used with > ***secilc**(8)* to disable <code>neverallow</code> rule checking.<a > href="#fnavc2" class="footnote-back">↩</a></p></li> > </ol> > </section> As the footnote is HTML, to render the man page entry it needs to be: <em><strong>secilc</strong>(8)</em> >
On Thu, Jul 9, 2020 at 5:04 AM Dominick Grift <dominick.grift@defensec.nl> wrote: > > I was unable to determine whether checkpolicy can be told to disable > neverallow checking. There is presently no way to disable neverallow checking for checkpolicy.
diff --git a/src/avc_rules.md b/src/avc_rules.md index a9dead5..7e62d04 100644 --- a/src/avc_rules.md +++ b/src/avc_rules.md @@ -182,8 +182,9 @@ auditallow ada_t self:process execstack; This rule specifies that an `allow` rule must not be generated for the operation, even if it has been previously allowed. The `neverallow` -statement is a compiler enforced action, where the ***checkpolicy**(8)* or +statement is a compiler enforced action, where the ***checkpolicy**(8)*, ***checkmodule**(8)* <a href="#fna1" class="footnote-ref" id="fnavc1"><sup>1</sup></a> +or ***secilc**(8)* <a href="#fna2" class="footnote-ref" id="fnavc2"><sup>2</sup></a> compiler checks if any allow rules have been generated in the policy source, if so it will issue a warning and stop. @@ -211,6 +212,7 @@ neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero; <section class="footnotes"> <ol> <li id="fna1"><p><code>neverallow</code> statements are allowed in modules, however to detect these the <em>semanage.conf</em> file must have the 'expand-check=1' entry present.<a href="#fnavc1" class="footnote-back">↩</a></p></li> +<li id="fna2"><p>The `--disable-neverallow` option can be used with ***secilc**(8)* to disable <code>neverallow</code> rule checking.<a href="#fnavc2" class="footnote-back">↩</a></p></li> </ol> </section>
I was unable to determine whether checkpolicy can be told to disable neverallow checking. Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> --- src/avc_rules.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-)