Stephen Smalley <stephen.smalley.work@xxxxxxxxx> writes: > On Fri, Mar 31, 2023 at 2:26 PM Dominick Grift > <dominick.grift@xxxxxxxxxxx> wrote: >> >> Stephen Smalley <stephen.smalley.work@xxxxxxxxx> writes: >> >> > On Fri, Mar 31, 2023 at 8:37 AM Petr Lautrbach <lautrbach@xxxxxxxxxx> wrote: >> >> >> >> Hi, >> >> >> >> I've got a question what is `sesearch --neverallow` good for and how to >> >> make it work. I wasn't able to get any output from this command. >> >> >> >> Is it supposed to work with current userspace and policies? How? >> > >> > I don't see how it could work. neverallow rules aren't preserved in >> > the kernel policies. >> > It would only make sense if sesearch could be run on source policies or modules. >> >> Which according to `man sesearch` is possible, but only monolithic policy.conf. > > Even that doesn't seem to be supported by setools 4, > $ sesearch --neverallow policy.conf > Invalid policy: policy.conf. A binary policy must be specified. (use > e.g. policy.33 or sepolicy) Source policies are not supported. > > $ rpm -q -f /usr/bin/sesearch > setools-console-4.4.0-9.fc37.x86_64 I was probably looking at the man for setools3 then. (the one on linux.die.net) -- gpg --locate-keys dominick.grift@xxxxxxxxxxx Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift
