On 3/31/2023 16:05, Dominick Grift wrote:
Stephen Smalley <stephen.smalley.work@xxxxxxxxx> writes:
On Fri, Mar 31, 2023 at 2:26 PM Dominick Grift
<dominick.grift@xxxxxxxxxxx> wrote:
Stephen Smalley <stephen.smalley.work@xxxxxxxxx> writes:
On Fri, Mar 31, 2023 at 8:37 AM Petr Lautrbach <lautrbach@xxxxxxxxxx> wrote:
Hi,
I've got a question what is `sesearch --neverallow` good for and how to
make it work. I wasn't able to get any output from this command.
Is it supposed to work with current userspace and policies? How?
I don't see how it could work. neverallow rules aren't preserved in
the kernel policies.
It would only make sense if sesearch could be run on source policies or modules.
Which according to `man sesearch` is possible, but only monolithic policy.conf.
Even that doesn't seem to be supported by setools 4,
$ sesearch --neverallow policy.conf
Invalid policy: policy.conf. A binary policy must be specified. (use
e.g. policy.33 or sepolicy) Source policies are not supported.
$ rpm -q -f /usr/bin/sesearch
setools-console-4.4.0-9.fc37.x86_64
I was probably looking at the man for setools3 then. (the one on linux.die.net)
I dropped source policy support some time ago. I'll remove --neverallow
option and man page info.
--
Chris PeBenito
