From patchwork Thu Jul 9 18:10:15 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Dominick Grift X-Patchwork-Id: 11654873 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 5CCFC14E3 for ; Thu, 9 Jul 2020 18:10:33 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 0B5F2207DD for ; Thu, 9 Jul 2020 18:10:33 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=defensec.nl header.i=@defensec.nl header.b="dnSEXycg" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726750AbgGISKc (ORCPT ); Thu, 9 Jul 2020 14:10:32 -0400 Received: from lindbergh.monkeyblade.net ([23.128.96.19]:52730 "EHLO lindbergh.monkeyblade.net" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726582AbgGISKc (ORCPT ); Thu, 9 Jul 2020 14:10:32 -0400 X-Greylist: delayed 37162 seconds by postgrey-1.37 at lindbergh.monkeyblade.net; Thu, 09 Jul 2020 11:10:32 PDT Received: from agnus.defensec.nl (agnus.defensec.nl [IPv6:2001:985:d55d::711]) by lindbergh.monkeyblade.net (Postfix) with ESMTP id 441E3C08C5CE for ; Thu, 9 Jul 2020 11:10:32 -0700 (PDT) Received: from localhost.localdomain (brutus.lan [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id 6B32B2A0FFA; Thu, 9 Jul 2020 20:10:30 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl 6B32B2A0FFA DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1594318230; bh=USpiocSfUrp6hUsdu3azDDqfCKIj+eYD6cWNe3ElSAE=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=dnSEXycghyrzrOgpEEl36uTdSPRQQP/L6p3JMwBQXKQ1QYC8kZ9y5VlmotT5XLQwJ 2V2rV8wYLHsoMnGW3UpkcPd3WwHwTREOzyy/tZU+UgZSVcJXrYVXxfzmMlEzhCEYFc fK7qvtyBeXxy542dNAxF0lPfsSWHxyEcXgg5Z3xo= From: Dominick Grift To: selinux@vger.kernel.org Cc: Dominick Grift Subject: [PATCH] avc_rules.md: mention secilc with the neverallow statement Date: Thu, 9 Jul 2020 20:10:15 +0200 Message-Id: <20200709181015.3687-1-dominick.grift@defensec.nl> X-Mailer: git-send-email 2.27.0 In-Reply-To: References: MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org I was unable to determine whether checkpolicy can be told to disable neverallow checking. v2: As the footnote is HTML, to render the man page entry it needs to be: secilc(8) Signed-off-by: Dominick Grift --- src/avc_rules.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/avc_rules.md b/src/avc_rules.md index a9dead5..5c2a491 100644 --- a/src/avc_rules.md +++ b/src/avc_rules.md @@ -182,8 +182,9 @@ auditallow ada_t self:process execstack; This rule specifies that an `allow` rule must not be generated for the operation, even if it has been previously allowed. The `neverallow` -statement is a compiler enforced action, where the ***checkpolicy**(8)* or +statement is a compiler enforced action, where the ***checkpolicy**(8)*, ***checkmodule**(8)* 1 +or ***secilc**(8)* 2 compiler checks if any allow rules have been generated in the policy source, if so it will issue a warning and stop. @@ -211,6 +212,7 @@ neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;

  1. neverallow statements are allowed in modules, however to detect these the semanage.conf file must have the 'expand-check=1' entry present.

    2. +

  2. The `--disable-neverallow` option can be used with secilc(8) to disable neverallow rule checking.