neverallow and attributes

All of lore.kernel.org
 help / color / mirror / Atom feed

* neverallow and attributes
@ 2012-08-27 14:37 Ole Kliemann
  2012-08-27 16:19 ` Stephen Smalley
  0 siblings, 1 reply; 2+ messages in thread
From: Ole Kliemann @ 2012-08-27 14:37 UTC (permalink / raw)
  To: selinux

[-- Attachment #1: Type: text/plain, Size: 582 bytes --]

If I do:

    attribute A;
    
    type T1_t;
    type T2_t;
    
    typeattribute T2_t A;
    
    allow A T1_t:file read;
    
    neverallow T2_t T1_t:file read;

I can compile and load the corresponding module. I can even do:

    allow A T1_t:file read;
    
    neverallow A T1_t:file read;

without problems.

I cannot do:

    allow T2_t T1_t:file read;
    
    neverallow A T1_t:file read;


The neverallow assertion does not find any allows that are 
constituted by allowing something for an attribute.

Is this normal behaviour?

Ole

[-- Attachment #2: Digital signature --]
[-- Type: application/pgp-signature, Size: 198 bytes --]

^ permalink raw reply	[flat|nested] 2+ messages in thread

* Re: neverallow and attributes
  2012-08-27 14:37 neverallow and attributes Ole Kliemann
@ 2012-08-27 16:19 ` Stephen Smalley
  0 siblings, 0 replies; 2+ messages in thread
From: Stephen Smalley @ 2012-08-27 16:19 UTC (permalink / raw)
  To: Ole Kliemann; +Cc: selinux

On Mon, 2012-08-27 at 16:37 +0200, Ole Kliemann wrote:
> If I do:
> 
>     attribute A;
>     
>     type T1_t;
>     type T2_t;
>     
>     typeattribute T2_t A;
>     
>     allow A T1_t:file read;
>     
>     neverallow T2_t T1_t:file read;
> 
> I can compile and load the corresponding module. I can even do:
> 
>     allow A T1_t:file read;
>     
>     neverallow A T1_t:file read;
> 
> without problems.
> 
> I cannot do:
> 
>     allow T2_t T1_t:file read;
>     
>     neverallow A T1_t:file read;
> 
> 
> The neverallow assertion does not find any allows that are 
> constituted by allowing something for an attribute.
> 
> Is this normal behaviour?

I would call that a bug.  However, I'm not surprised, as Fedora disables
the neverallow checking by default (expand-check=0
in /etc/selinux/semanage.conf), so it doesn't get much testing these
days.  Possibly the neverallow checking has never been updated to
account for preservation of attributes in the kernel policy (originally
all attributes were expanded at compile-time).

-- 
Stephen Smalley
National Security Agency


--
This message was distributed to subscribers of the selinux mailing list.
If you no longer wish to subscribe, send mail to majordomo@tycho.nsa.gov with
the words "unsubscribe selinux" without quotes as the message.

^ permalink raw reply	[flat|nested] 2+ messages in thread

end of thread, other threads:[~2012-08-27 16:19 UTC | newest]

Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2012-08-27 14:37 neverallow and attributes Ole Kliemann
2012-08-27 16:19 ` Stephen Smalley

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.