On Mon, 2012-08-27 at 16:37 +0200, Ole Kliemann wrote: > If I do: > > attribute A; > > type T1_t; > type T2_t; > > typeattribute T2_t A; > > allow A T1_t:file read; > > neverallow T2_t T1_t:file read; > > I can compile and load the corresponding module. I can even do: > > allow A T1_t:file read; > > neverallow A T1_t:file read; > > without problems. > > I cannot do: > > allow T2_t T1_t:file read; > > neverallow A T1_t:file read; > > > The neverallow assertion does not find any allows that are > constituted by allowing something for an attribute. > > Is this normal behaviour? I would call that a bug. However, I'm not surprised, as Fedora disables the neverallow checking by default (expand-check=0 in /etc/selinux/semanage.conf), so it doesn't get much testing these days. Possibly the neverallow checking has never been updated to account for preservation of attributes in the kernel policy (originally all attributes were expanded at compile-time). -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
