On 08/26/2009 12:09 PM, Joshua Brindle wrote: > Daniel J Walsh wrote: >> On 08/25/2009 06:43 PM, Anamitra Dutta Majumdar (anmajumd) wrote: >>> >>> >>> We are looking for a well documented procedure to add AV assertion to >>> selinux policy on RHEL5. >>> So far all SELinux URL links refer to the fact that the AV assertion >>> needs to be added to assert.te file under $SELINUX_SRC folder. >>> This appears to be true only for RHEL4 not RHEL5 since there is no src >>> folder under /etc/selinux/targeted that contains the source policies in >>> RHEL5. >>> We have installed and built the selinux-policy-2.4.6-248.el5.src.rpm on >>> our RHEL5.4 box and we did not find any assert.te file. >>> Can someone help us with the exact method as to what needs to be done to >>> add an AV assertion rule to our policy. >>> >>> Thanks >>> Anamitra& Radha >>> >>> -- >>> fedora-selinux-list mailing list >>> fedora-selinux-list@xxxxxxxxxx >>> https://www.redhat.com/mailman/listinfo/fedora-selinux-list >> questions like this should be asked on the >> SELinux<selinux@xxxxxxxxxxxxx> Mail List. >> >> I am not sure what you are asking for. > > > assert.te was the old place for neverallow rules in the example policy. > In the reference policy neverallows are put in their appropriate place > (you could grep for them in the source policy if you want to see). > > However, with RHEL5 and greater distros you can just insert policy > modules to add rules (including assertions). So just follow the RHEL5 > instructions on adding a policy and you can add neverallows there. > > You also need to enable assertion checking by adding this line to > /etc/selinux/semanage.conf > > expand-check = 1 > > > > -- > This message was distributed to subscribers of the selinux mailing list. > If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx > with > the words "unsubscribe selinux" without quotes as the message. > > Right but I am not sure they want a neverallow rule. I still would like to have them explain what they want for assertions. Are they just looking to make sure that no one loads a policy module that allows a certain rule? If yes then Josh is correct. If they are looking to remove some access from a domain, like a DENY rule, then assertions will not do it, other then getting the policy build to blow up (if expand-check is turnedon) -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
