On Tue, 2019-02-26 at 19:29 -0600, Joe Nall wrote: > Looking at neverallow rules, the semanage.conf file says > "# expand-check check neverallow rules when executing all semanage > commands. > # Large penalty in time if you turn this on. " > > If I don't set expand-check=1, are the neverallow rules actually > enforced? Nope. > If so, when? > > An semodule -i of a policy module with neverallow rules that are > violated by the existing binary policy succeeds without complaint > unless expand-check=1 in RHEL 7.6. This is not what I expected. > > The time taken by a trivial module installation goes from ~.3 seconds > to ~14 seconds, so the time hit for expand-check is pretty serious. The reason for adding the expand-check option is because the neverallow checking is so expensive. > We are trying to establish some policy invariants to protect against > unexpected/unnoticed RHEL upstream policy changes, some of which have > bitten us recently. Any suggestions are welcome. One alternative would be to use the setools API to code up some policy searches in Python, then process the results to find things you do/don't want in your policy. -- Chris PeBenito
