* [SELinux-notebook PATCH] avc_rules.md: mention secilc with the neverallow statement
@ 2020-07-09 9:03 Dominick Grift
2020-07-09 14:16 ` Richard Haines
2020-07-09 14:33 ` [SELinux-notebook PATCH] " Stephen Smalley
0 siblings, 2 replies; 5+ messages in thread
From: Dominick Grift @ 2020-07-09 9:03 UTC (permalink / raw)
To: selinux; +Cc: Dominick Grift
I was unable to determine whether checkpolicy can be told to disable
neverallow checking.
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
---
src/avc_rules.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/avc_rules.md b/src/avc_rules.md
index a9dead5..7e62d04 100644
--- a/src/avc_rules.md
+++ b/src/avc_rules.md
@@ -182,8 +182,9 @@ auditallow ada_t self:process execstack;
This rule specifies that an `allow` rule must not be generated for the
operation, even if it has been previously allowed. The `neverallow`
-statement is a compiler enforced action, where the ***checkpolicy**(8)* or
+statement is a compiler enforced action, where the ***checkpolicy**(8)*,
***checkmodule**(8)* <a href="#fna1" class="footnote-ref" id="fnavc1"><sup>1</sup></a>
+or ***secilc**(8)* <a href="#fna2" class="footnote-ref" id="fnavc2"><sup>2</sup></a>
compiler checks if any allow rules have been generated in the policy source,
if so it will issue a warning and stop.
@@ -211,6 +212,7 @@ neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
<section class="footnotes">
<ol>
<li id="fna1"><p><code>neverallow</code> statements are allowed in modules, however to detect these the <em>semanage.conf</em> file must have the 'expand-check=1' entry present.<a href="#fnavc1" class="footnote-back">↩</a></p></li>
+<li id="fna2"><p>The `--disable-neverallow` option can be used with ***secilc**(8)* to disable <code>neverallow</code> rule checking.<a href="#fnavc2" class="footnote-back">↩</a></p></li>
</ol>
</section>
--
2.27.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [SELinux-notebook PATCH] avc_rules.md: mention secilc with the neverallow statement
2020-07-09 9:03 [SELinux-notebook PATCH] avc_rules.md: mention secilc with the neverallow statement Dominick Grift
@ 2020-07-09 14:16 ` Richard Haines
2020-07-09 18:10 ` [PATCH] " Dominick Grift
2020-07-09 14:33 ` [SELinux-notebook PATCH] " Stephen Smalley
1 sibling, 1 reply; 5+ messages in thread
From: Richard Haines @ 2020-07-09 14:16 UTC (permalink / raw)
To: Dominick Grift, selinux
On Thu, 2020-07-09 at 11:03 +0200, Dominick Grift wrote:
> I was unable to determine whether checkpolicy can be told to disable
> neverallow checking.
>
> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
> ---
> src/avc_rules.md | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
>
> diff --git a/src/avc_rules.md b/src/avc_rules.md
> index a9dead5..7e62d04 100644
> --- a/src/avc_rules.md
> +++ b/src/avc_rules.md
> @@ -182,8 +182,9 @@ auditallow ada_t self:process execstack;
>
> This rule specifies that an `allow` rule must not be generated for
> the
> operation, even if it has been previously allowed. The `neverallow`
> -statement is a compiler enforced action, where the
> ***checkpolicy**(8)* or
> +statement is a compiler enforced action, where the
> ***checkpolicy**(8)*,
> ***checkmodule**(8)* <a href="#fna1" class="footnote-ref"
> id="fnavc1"><sup>1</sup></a>
> +or ***secilc**(8)* <a href="#fna2" class="footnote-ref"
> id="fnavc2"><sup>2</sup></a>
> compiler checks if any allow rules have been generated in the policy
> source,
> if so it will issue a warning and stop.
>
> @@ -211,6 +212,7 @@ neverallow { domain -mmap_low_domain_type }
> self:memprotect mmap_zero;
> <section class="footnotes">
> <ol>
> <li id="fna1"><p><code>neverallow</code> statements are allowed in
> modules, however to detect these the <em>semanage.conf</em> file must
> have the 'expand-check=1' entry present.<a href="#fnavc1"
> class="footnote-back">↩</a></p></li>
> +<li id="fna2"><p>The `--disable-neverallow` option can be used with
> ***secilc**(8)* to disable <code>neverallow</code> rule checking.<a
> href="#fnavc2" class="footnote-back">↩</a></p></li>
> </ol>
> </section>
As the footnote is HTML, to render the man page entry it needs to be:
<em><strong>secilc</strong>(8)</em>
>
^ permalink raw reply [flat|nested] 5+ messages in thread
* Re: [SELinux-notebook PATCH] avc_rules.md: mention secilc with the neverallow statement
2020-07-09 9:03 [SELinux-notebook PATCH] avc_rules.md: mention secilc with the neverallow statement Dominick Grift
2020-07-09 14:16 ` Richard Haines
@ 2020-07-09 14:33 ` Stephen Smalley
1 sibling, 0 replies; 5+ messages in thread
From: Stephen Smalley @ 2020-07-09 14:33 UTC (permalink / raw)
To: Dominick Grift; +Cc: SElinux list
On Thu, Jul 9, 2020 at 5:04 AM Dominick Grift
<dominick.grift@defensec.nl> wrote:
>
> I was unable to determine whether checkpolicy can be told to disable
> neverallow checking.
There is presently no way to disable neverallow checking for checkpolicy.
^ permalink raw reply [flat|nested] 5+ messages in thread
* [PATCH] avc_rules.md: mention secilc with the neverallow statement
2020-07-09 14:16 ` Richard Haines
@ 2020-07-09 18:10 ` Dominick Grift
2020-07-09 18:48 ` Paul Moore
0 siblings, 1 reply; 5+ messages in thread
From: Dominick Grift @ 2020-07-09 18:10 UTC (permalink / raw)
To: selinux; +Cc: Dominick Grift
I was unable to determine whether checkpolicy can be told to disable
neverallow checking.
v2: As the footnote is HTML, to render the man page entry it needs to be:
<em><strong>secilc</strong>(8)</em>
Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
---
src/avc_rules.md | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/avc_rules.md b/src/avc_rules.md
index a9dead5..5c2a491 100644
--- a/src/avc_rules.md
+++ b/src/avc_rules.md
@@ -182,8 +182,9 @@ auditallow ada_t self:process execstack;
This rule specifies that an `allow` rule must not be generated for the
operation, even if it has been previously allowed. The `neverallow`
-statement is a compiler enforced action, where the ***checkpolicy**(8)* or
+statement is a compiler enforced action, where the ***checkpolicy**(8)*,
***checkmodule**(8)* <a href="#fna1" class="footnote-ref" id="fnavc1"><sup>1</sup></a>
+or ***secilc**(8)* <a href="#fna2" class="footnote-ref" id="fnavc2"><sup>2</sup></a>
compiler checks if any allow rules have been generated in the policy source,
if so it will issue a warning and stop.
@@ -211,6 +212,7 @@ neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
<section class="footnotes">
<ol>
<li id="fna1"><p><code>neverallow</code> statements are allowed in modules, however to detect these the <em>semanage.conf</em> file must have the 'expand-check=1' entry present.<a href="#fnavc1" class="footnote-back">↩</a></p></li>
+<li id="fna2"><p>The `--disable-neverallow` option can be used with <em></strong>secilc</strong>(8)</em> to disable <code>neverallow</code> rule checking.<a href="#fnavc2" class="footnote-back">↩</a></p></li>
</ol>
</section>
--
2.27.0
^ permalink raw reply related [flat|nested] 5+ messages in thread
* Re: [PATCH] avc_rules.md: mention secilc with the neverallow statement
2020-07-09 18:10 ` [PATCH] " Dominick Grift
@ 2020-07-09 18:48 ` Paul Moore
0 siblings, 0 replies; 5+ messages in thread
From: Paul Moore @ 2020-07-09 18:48 UTC (permalink / raw)
To: Dominick Grift; +Cc: selinux
On Thu, Jul 9, 2020 at 2:10 PM Dominick Grift
<dominick.grift@defensec.nl> wrote:
>
> I was unable to determine whether checkpolicy can be told to disable
> neverallow checking.
>
> v2: As the footnote is HTML, to render the man page entry it needs to be:
> <em><strong>secilc</strong>(8)</em>
>
> Signed-off-by: Dominick Grift <dominick.grift@defensec.nl>
> ---
> src/avc_rules.md | 4 +++-
> 1 file changed, 3 insertions(+), 1 deletion(-)
Merged, thanks for the quick revision.
> diff --git a/src/avc_rules.md b/src/avc_rules.md
> index a9dead5..5c2a491 100644
> --- a/src/avc_rules.md
> +++ b/src/avc_rules.md
> @@ -182,8 +182,9 @@ auditallow ada_t self:process execstack;
>
> This rule specifies that an `allow` rule must not be generated for the
> operation, even if it has been previously allowed. The `neverallow`
> -statement is a compiler enforced action, where the ***checkpolicy**(8)* or
> +statement is a compiler enforced action, where the ***checkpolicy**(8)*,
> ***checkmodule**(8)* <a href="#fna1" class="footnote-ref" id="fnavc1"><sup>1</sup></a>
> +or ***secilc**(8)* <a href="#fna2" class="footnote-ref" id="fnavc2"><sup>2</sup></a>
> compiler checks if any allow rules have been generated in the policy source,
> if so it will issue a warning and stop.
>
> @@ -211,6 +212,7 @@ neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;
> <section class="footnotes">
> <ol>
> <li id="fna1"><p><code>neverallow</code> statements are allowed in modules, however to detect these the <em>semanage.conf</em> file must have the 'expand-check=1' entry present.<a href="#fnavc1" class="footnote-back">↩</a></p></li>
> +<li id="fna2"><p>The `--disable-neverallow` option can be used with <em></strong>secilc</strong>(8)</em> to disable <code>neverallow</code> rule checking.<a href="#fnavc2" class="footnote-back">↩</a></p></li>
> </ol>
> </section>
>
--
paul moore
www.paul-moore.com
^ permalink raw reply [flat|nested] 5+ messages in thread
end of thread, other threads:[~2020-07-09 18:49 UTC | newest]
Thread overview: 5+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-07-09 9:03 [SELinux-notebook PATCH] avc_rules.md: mention secilc with the neverallow statement Dominick Grift
2020-07-09 14:16 ` Richard Haines
2020-07-09 18:10 ` [PATCH] " Dominick Grift
2020-07-09 18:48 ` Paul Moore
2020-07-09 14:33 ` [SELinux-notebook PATCH] " Stephen Smalley
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.