On 11/07/2015 11:29 PM, Nick Kralevich wrote:
Consider the following rules:
attribute foo;
type asdf, foo;
type asdf2, foo;
allow asdf self:dir search;
neverallow foo { foo -self }:dir search;
This particular policy fails to compile with the following error:
libsepol.report_failure: neverallow on line XXX of XXX (or line XXX of
policy.conf) violated by allow asdf asdf:dir { search };
libsepol.check_assertions: 1 neverallow failures occurred
The intent of the neverallow rule is to prohibit cross domain access
to some resource, but allow access within the same domain. Something
like:
neverallow asdf { foo -asdf }:dir search;
neverallow asdf2 { foo -asdf2 }:dir search;
1) Is the behavior described above a bug or working as intended?
2) Is there a way to write a neverallow rule where the target uses
"-self", and if so, what does it mean?
It doesn't look to me as if "-self" has ever been supported correctly
either by the checkpolicy parser or by the libsepol neverallow/assertion
checker. So, it's a bug, but not sure how involved a fix will be
(beyond just having checkpolicy reject it in the first place).
_______________________________________________
Selinux mailing list
Selinux@xxxxxxxxxxxxx
To unsubscribe, send email to Selinux-leave@xxxxxxxxxxxxx.
To get help, send an email containing "help" to Selinux-request@xxxxxxxxxxxxx.
