On 11/07/2015 11:29 PM, Nick Kralevich wrote:
Consider the following rules:
attribute foo;
type asdf, foo;
type asdf2, foo;
allow asdf self:dir search;
neverallow foo { foo -self }:dir search;
This particular policy fails to compile with the following error:
libsepol.report_failure: neverallow on line XXX of XXX (or line XXX of
policy.conf) violated by allow asdf asdf:dir { search };
libsepol.check_assertions: 1 neverallow failures occurred
The intent of the neverallow rule is to prohibit cross domain access
to some resource, but allow access within the same domain. Something
like:
neverallow asdf { foo -asdf }:dir search;
neverallow asdf2 { foo -asdf2 }:dir search;
1) Is the behavior described above a bug or working as intended?
Self is a little special and I am not sure that anyone has ever considered using
self in a negation like that. I will have to take a look and see what it would
take to allow this usage.
2) Is there a way to write a neverallow rule where the target uses
"-self", and if so, what does it mean?
I think that it would mean what you intend it to mean.
allow asdf self:dir search; # Allowed
allow asdf asdf:dir search; # Allowed
allow asdf asdf2:dir search; # Not allowed
--
James Carter <jwcart2@xxxxxxxxxxxxx>
National Security Agency
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
