On Fri, Mar 31, 2023 at 2:26 PM Dominick Grift <dominick.grift@xxxxxxxxxxx> wrote: > > Stephen Smalley <stephen.smalley.work@xxxxxxxxx> writes: > > > On Fri, Mar 31, 2023 at 8:37 AM Petr Lautrbach <lautrbach@xxxxxxxxxx> wrote: > >> > >> Hi, > >> > >> I've got a question what is `sesearch --neverallow` good for and how to > >> make it work. I wasn't able to get any output from this command. > >> > >> Is it supposed to work with current userspace and policies? How? > > > > I don't see how it could work. neverallow rules aren't preserved in > > the kernel policies. > > It would only make sense if sesearch could be run on source policies or modules. > > Which according to `man sesearch` is possible, but only monolithic policy.conf. Even that doesn't seem to be supported by setools 4, $ sesearch --neverallow policy.conf Invalid policy: policy.conf. A binary policy must be specified. (use e.g. policy.33 or sepolicy) Source policies are not supported. $ rpm -q -f /usr/bin/sesearch setools-console-4.4.0-9.fc37.x86_64
