On 2/26/19 10:38 PM, Chris PeBenito wrote:
On Tue, 2019-02-26 at 19:29 -0600, Joe Nall wrote:
Looking at neverallow rules, the semanage.conf file says
"# expand-check check neverallow rules when executing all semanage
commands.
# Large penalty in time if you turn this on. "
If I don't set expand-check=1, are the neverallow rules actually
enforced?
Nope.
If so, when?
An semodule -i of a policy module with neverallow rules that are
violated by the existing binary policy succeeds without complaint
unless expand-check=1 in RHEL 7.6. This is not what I expected.
The time taken by a trivial module installation goes from ~.3 seconds
to ~14 seconds, so the time hit for expand-check is pretty serious.
The reason for adding the expand-check option is because the neverallow
checking is so expensive.
I guess RHEL 7.6 is using an older version of the libsepol and friends? I
refactored neverallow checking back in 2015 (see commit9e6840e6) which greatly
reduced the time and memory usage of neverallow checking.
Jim
We are trying to establish some policy invariants to protect against
unexpected/unnoticed RHEL upstream policy changes, some of which have
bitten us recently. Any suggestions are welcome.
One alternative would be to use the setools API to code up some policy
searches in Python, then process the results to find things you
do/don't want in your policy.
--
James Carter <jwcart2@xxxxxxxxxxxxx>
National Security Agency
