In the standard policy most of the kernel/service modules allow access to unlabelled traffic, interfaces and nodes. I have a simple question regarding this: if I were to write an additional module and include neverallow statement to deny previously granted access to such resources would this be enough (my understanding of neverallow is that it just checks whether previous 'allow' statements were issued and if so, generates a warning and stops)? If neverallow is not the way to go, what could I do, short of altering every single policy file and remove the appropriate allow statements, to disable such access to the above resources? -- selinux mailing list selinux@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/selinux
