Chris PeBenito <chpebeni@xxxxxxxxxxxxxxxxxxx> writes: > On 3/31/2023 16:05, Dominick Grift wrote: >> Stephen Smalley <stephen.smalley.work@xxxxxxxxx> writes: >> >>> On Fri, Mar 31, 2023 at 2:26 PM Dominick Grift >>> <dominick.grift@xxxxxxxxxxx> wrote: >>>> >>>> Stephen Smalley <stephen.smalley.work@xxxxxxxxx> writes: >>>> >>>>> On Fri, Mar 31, 2023 at 8:37 AM Petr Lautrbach <lautrbach@xxxxxxxxxx> wrote: >>>>>> >>>>>> Hi, >>>>>> >>>>>> I've got a question what is `sesearch --neverallow` good for and how to >>>>>> make it work. I wasn't able to get any output from this command. >>>>>> >>>>>> Is it supposed to work with current userspace and policies? How? >>>>> >>>>> I don't see how it could work. neverallow rules aren't preserved in >>>>> the kernel policies. >>>>> It would only make sense if sesearch could be run on source policies or modules. >>>> >>>> Which according to `man sesearch` is possible, but only monolithic policy.conf. >>> >>> Even that doesn't seem to be supported by setools 4, >>> $ sesearch --neverallow policy.conf >>> Invalid policy: policy.conf. A binary policy must be specified. (use >>> e.g. policy.33 or sepolicy) Source policies are not supported. >>> >>> $ rpm -q -f /usr/bin/sesearch >>> setools-console-4.4.0-9.fc37.x86_64 >> >> I was probably looking at the man for setools3 then. (the one on linux.die.net) > > I dropped source policy support some time ago. I'll remove --neverallow > option and man page info. > Thanks. Petr
