From patchwork Thu Jul 9 09:03:52 2020 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 8bit X-Patchwork-Submitter: Dominick Grift X-Patchwork-Id: 11653893 Return-Path: Received: from mail.kernel.org (pdx-korg-mail-1.web.codeaurora.org [172.30.200.123]) by pdx-korg-patchwork-2.web.codeaurora.org (Postfix) with ESMTP id 8065C14DD for ; Thu, 9 Jul 2020 09:04:05 +0000 (UTC) Received: from vger.kernel.org (vger.kernel.org [23.128.96.18]) by mail.kernel.org (Postfix) with ESMTP id 5CA7E2070E for ; Thu, 9 Jul 2020 09:04:05 +0000 (UTC) Authentication-Results: mail.kernel.org; dkim=pass (1024-bit key) header.d=defensec.nl header.i=@defensec.nl header.b="dJdKkaxl" Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726313AbgGIJEF (ORCPT ); Thu, 9 Jul 2020 05:04:05 -0400 Received: from agnus.defensec.nl ([80.100.19.56]:57506 "EHLO agnus.defensec.nl" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726006AbgGIJEE (ORCPT ); Thu, 9 Jul 2020 05:04:04 -0400 Received: from localhost.localdomain (brutus [IPv6:2001:985:d55d::438]) by agnus.defensec.nl (Postfix) with ESMTPSA id BE9CA2A1007; Thu, 9 Jul 2020 11:04:02 +0200 (CEST) DKIM-Filter: OpenDKIM Filter v2.11.0 agnus.defensec.nl BE9CA2A1007 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=defensec.nl; s=default; t=1594285443; bh=JeE3CjGJa6i0ovgAQyMewMYnht8q6g7hybg0at/+W0w=; h=From:To:Cc:Subject:Date:From; b=dJdKkaxl8NmzdjPJ3RuZVqGY04fn1x7Yod7msMeTY6lths5BRdFV+PLezjGyRj4Gi mwfp2dejgCAzf3s5vR9nhgtLNPKxZ9Vpck4wVzoHwAF/p8vTXPbHooGJjbFr5rQJi3 xkJBkd9GOfRqTGlhMPShmO66CimntOKWaqWPptZI= From: Dominick Grift To: selinux@vger.kernel.org Cc: Dominick Grift Subject: [SELinux-notebook PATCH] avc_rules.md: mention secilc with the neverallow statement Date: Thu, 9 Jul 2020 11:03:52 +0200 Message-Id: <20200709090352.1681563-1-dominick.grift@defensec.nl> X-Mailer: git-send-email 2.27.0 MIME-Version: 1.0 Sender: selinux-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux@vger.kernel.org I was unable to determine whether checkpolicy can be told to disable neverallow checking. Signed-off-by: Dominick Grift --- src/avc_rules.md | 4 +++- 1 file changed, 3 insertions(+), 1 deletion(-) diff --git a/src/avc_rules.md b/src/avc_rules.md index a9dead5..7e62d04 100644 --- a/src/avc_rules.md +++ b/src/avc_rules.md @@ -182,8 +182,9 @@ auditallow ada_t self:process execstack; This rule specifies that an `allow` rule must not be generated for the operation, even if it has been previously allowed. The `neverallow` -statement is a compiler enforced action, where the ***checkpolicy**(8)* or +statement is a compiler enforced action, where the ***checkpolicy**(8)*, ***checkmodule**(8)* 1 +or ***secilc**(8)* 2 compiler checks if any allow rules have been generated in the policy source, if so it will issue a warning and stop. @@ -211,6 +212,7 @@ neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;

  1. neverallow statements are allowed in modules, however to detect these the semanage.conf file must have the 'expand-check=1' entry present.

    2. +

  2. The `--disable-neverallow` option can be used with ***secilc**(8)* to disable neverallow rule checking.