On 12/1/19 9:52 AM, Richard Haines wrote:
Test perf_event permissions.
Signed-off-by: Richard Haines <richard_c_haines@xxxxxxxxxxxxxx>
---
diff --git a/policy/test_perf_event.te b/policy/test_perf_event.te
new file mode 100644
index 0000000..8b612bc
--- /dev/null
+++ b/policy/test_perf_event.te
<snip>
+neverallow test_perf_no_admin_t self:capability { sys_admin };
I don't particularly object to this, but I wanted to note that these
neverallows are not being checked by default (expand-check=0 in
/etc/selinux/semanage.conf) and in fact, if one were to enable
expand-check, it would not be possible to insert the test policy module
without triggering some neverallow and/or typebounds failures because
the test policy intentionally violates such invariants at points.
Even the base Fedora policy doesn't appear to pass neverallow checking
at present; if you enable expand-check=1 in /etc/selinux/semanage.conf
and semodule -B, it fails (at least for me).
So your neverallow rules in the test policy are at best documentation.
