From: Dominick Grift <dominick.grift@defensec.nl>
To: Stephen Smalley <stephen.smalley.work@gmail.com>
Cc: Petr Lautrbach <lautrbach@redhat.com>, selinux@vger.kernel.org
Subject: Re: sesearch --neverallow
Date: Fri, 31 Mar 2023 22:05:43 +0200 [thread overview]
Message-ID: <87cz4obsa0.fsf@defensec.nl> (raw)
In-Reply-To: <CAEjxPJ72BTh3MzGje82uN4ayCGFGnJyz7uKobprRhx0R1R0JNA@mail.gmail.com> (Stephen Smalley's message of "Fri, 31 Mar 2023 15:59:18 -0400")
Stephen Smalley <stephen.smalley.work@gmail.com> writes:
> On Fri, Mar 31, 2023 at 2:26 PM Dominick Grift
> <dominick.grift@defensec.nl> wrote:
>>
>> Stephen Smalley <stephen.smalley.work@gmail.com> writes:
>>
>> > On Fri, Mar 31, 2023 at 8:37 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
>> >>
>> >> Hi,
>> >>
>> >> I've got a question what is `sesearch --neverallow` good for and how to
>> >> make it work. I wasn't able to get any output from this command.
>> >>
>> >> Is it supposed to work with current userspace and policies? How?
>> >
>> > I don't see how it could work. neverallow rules aren't preserved in
>> > the kernel policies.
>> > It would only make sense if sesearch could be run on source policies or modules.
>>
>> Which according to `man sesearch` is possible, but only monolithic policy.conf.
>
> Even that doesn't seem to be supported by setools 4,
> $ sesearch --neverallow policy.conf
> Invalid policy: policy.conf. A binary policy must be specified. (use
> e.g. policy.33 or sepolicy) Source policies are not supported.
>
> $ rpm -q -f /usr/bin/sesearch
> setools-console-4.4.0-9.fc37.x86_64
I was probably looking at the man for setools3 then. (the one on linux.die.net)
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
next prev parent reply other threads:[~2023-03-31 20:05 UTC|newest]
Thread overview: 7+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-03-31 12:29 sesearch --neverallow Petr Lautrbach
2023-03-31 18:15 ` Stephen Smalley
2023-03-31 18:26 ` Dominick Grift
2023-03-31 19:59 ` Stephen Smalley
2023-03-31 20:05 ` Dominick Grift [this message]
2023-04-03 12:28 ` Chris PeBenito
2023-04-03 13:38 ` Petr Lautrbach
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=87cz4obsa0.fsf@defensec.nl \
--to=dominick.grift@defensec.nl \
--cc=lautrbach@redhat.com \
--cc=selinux@vger.kernel.org \
--cc=stephen.smalley.work@gmail.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.