* sesearch --neverallow
@ 2023-03-31 12:29 Petr Lautrbach
2023-03-31 18:15 ` Stephen Smalley
0 siblings, 1 reply; 7+ messages in thread
From: Petr Lautrbach @ 2023-03-31 12:29 UTC (permalink / raw)
To: selinux
Hi,
I've got a question what is `sesearch --neverallow` good for and how to
make it work. I wasn't able to get any output from this command.
Is it supposed to work with current userspace and policies? How?
Thanks,
Petr
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: sesearch --neverallow
2023-03-31 12:29 sesearch --neverallow Petr Lautrbach
@ 2023-03-31 18:15 ` Stephen Smalley
2023-03-31 18:26 ` Dominick Grift
0 siblings, 1 reply; 7+ messages in thread
From: Stephen Smalley @ 2023-03-31 18:15 UTC (permalink / raw)
To: Petr Lautrbach; +Cc: selinux
On Fri, Mar 31, 2023 at 8:37 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
>
> Hi,
>
> I've got a question what is `sesearch --neverallow` good for and how to
> make it work. I wasn't able to get any output from this command.
>
> Is it supposed to work with current userspace and policies? How?
I don't see how it could work. neverallow rules aren't preserved in
the kernel policies.
It would only make sense if sesearch could be run on source policies or modules.
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: sesearch --neverallow
2023-03-31 18:15 ` Stephen Smalley
@ 2023-03-31 18:26 ` Dominick Grift
2023-03-31 19:59 ` Stephen Smalley
0 siblings, 1 reply; 7+ messages in thread
From: Dominick Grift @ 2023-03-31 18:26 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Petr Lautrbach, selinux
Stephen Smalley <stephen.smalley.work@gmail.com> writes:
> On Fri, Mar 31, 2023 at 8:37 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
>>
>> Hi,
>>
>> I've got a question what is `sesearch --neverallow` good for and how to
>> make it work. I wasn't able to get any output from this command.
>>
>> Is it supposed to work with current userspace and policies? How?
>
> I don't see how it could work. neverallow rules aren't preserved in
> the kernel policies.
> It would only make sense if sesearch could be run on source policies or modules.
Which according to `man sesearch` is possible, but only monolithic policy.conf.
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: sesearch --neverallow
2023-03-31 18:26 ` Dominick Grift
@ 2023-03-31 19:59 ` Stephen Smalley
2023-03-31 20:05 ` Dominick Grift
0 siblings, 1 reply; 7+ messages in thread
From: Stephen Smalley @ 2023-03-31 19:59 UTC (permalink / raw)
To: Dominick Grift; +Cc: Petr Lautrbach, selinux
On Fri, Mar 31, 2023 at 2:26 PM Dominick Grift
<dominick.grift@defensec.nl> wrote:
>
> Stephen Smalley <stephen.smalley.work@gmail.com> writes:
>
> > On Fri, Mar 31, 2023 at 8:37 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
> >>
> >> Hi,
> >>
> >> I've got a question what is `sesearch --neverallow` good for and how to
> >> make it work. I wasn't able to get any output from this command.
> >>
> >> Is it supposed to work with current userspace and policies? How?
> >
> > I don't see how it could work. neverallow rules aren't preserved in
> > the kernel policies.
> > It would only make sense if sesearch could be run on source policies or modules.
>
> Which according to `man sesearch` is possible, but only monolithic policy.conf.
Even that doesn't seem to be supported by setools 4,
$ sesearch --neverallow policy.conf
Invalid policy: policy.conf. A binary policy must be specified. (use
e.g. policy.33 or sepolicy) Source policies are not supported.
$ rpm -q -f /usr/bin/sesearch
setools-console-4.4.0-9.fc37.x86_64
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: sesearch --neverallow
2023-03-31 19:59 ` Stephen Smalley
@ 2023-03-31 20:05 ` Dominick Grift
2023-04-03 12:28 ` Chris PeBenito
0 siblings, 1 reply; 7+ messages in thread
From: Dominick Grift @ 2023-03-31 20:05 UTC (permalink / raw)
To: Stephen Smalley; +Cc: Petr Lautrbach, selinux
Stephen Smalley <stephen.smalley.work@gmail.com> writes:
> On Fri, Mar 31, 2023 at 2:26 PM Dominick Grift
> <dominick.grift@defensec.nl> wrote:
>>
>> Stephen Smalley <stephen.smalley.work@gmail.com> writes:
>>
>> > On Fri, Mar 31, 2023 at 8:37 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
>> >>
>> >> Hi,
>> >>
>> >> I've got a question what is `sesearch --neverallow` good for and how to
>> >> make it work. I wasn't able to get any output from this command.
>> >>
>> >> Is it supposed to work with current userspace and policies? How?
>> >
>> > I don't see how it could work. neverallow rules aren't preserved in
>> > the kernel policies.
>> > It would only make sense if sesearch could be run on source policies or modules.
>>
>> Which according to `man sesearch` is possible, but only monolithic policy.conf.
>
> Even that doesn't seem to be supported by setools 4,
> $ sesearch --neverallow policy.conf
> Invalid policy: policy.conf. A binary policy must be specified. (use
> e.g. policy.33 or sepolicy) Source policies are not supported.
>
> $ rpm -q -f /usr/bin/sesearch
> setools-console-4.4.0-9.fc37.x86_64
I was probably looking at the man for setools3 then. (the one on linux.die.net)
--
gpg --locate-keys dominick.grift@defensec.nl
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098
Dominick Grift
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: sesearch --neverallow
2023-03-31 20:05 ` Dominick Grift
@ 2023-04-03 12:28 ` Chris PeBenito
2023-04-03 13:38 ` Petr Lautrbach
0 siblings, 1 reply; 7+ messages in thread
From: Chris PeBenito @ 2023-04-03 12:28 UTC (permalink / raw)
To: Dominick Grift, Stephen Smalley; +Cc: Petr Lautrbach, selinux
On 3/31/2023 16:05, Dominick Grift wrote:
> Stephen Smalley <stephen.smalley.work@gmail.com> writes:
>
>> On Fri, Mar 31, 2023 at 2:26 PM Dominick Grift
>> <dominick.grift@defensec.nl> wrote:
>>>
>>> Stephen Smalley <stephen.smalley.work@gmail.com> writes:
>>>
>>>> On Fri, Mar 31, 2023 at 8:37 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
>>>>>
>>>>> Hi,
>>>>>
>>>>> I've got a question what is `sesearch --neverallow` good for and how to
>>>>> make it work. I wasn't able to get any output from this command.
>>>>>
>>>>> Is it supposed to work with current userspace and policies? How?
>>>>
>>>> I don't see how it could work. neverallow rules aren't preserved in
>>>> the kernel policies.
>>>> It would only make sense if sesearch could be run on source policies or modules.
>>>
>>> Which according to `man sesearch` is possible, but only monolithic policy.conf.
>>
>> Even that doesn't seem to be supported by setools 4,
>> $ sesearch --neverallow policy.conf
>> Invalid policy: policy.conf. A binary policy must be specified. (use
>> e.g. policy.33 or sepolicy) Source policies are not supported.
>>
>> $ rpm -q -f /usr/bin/sesearch
>> setools-console-4.4.0-9.fc37.x86_64
>
> I was probably looking at the man for setools3 then. (the one on linux.die.net)
I dropped source policy support some time ago. I'll remove --neverallow
option and man page info.
--
Chris PeBenito
^ permalink raw reply [flat|nested] 7+ messages in thread
* Re: sesearch --neverallow
2023-04-03 12:28 ` Chris PeBenito
@ 2023-04-03 13:38 ` Petr Lautrbach
0 siblings, 0 replies; 7+ messages in thread
From: Petr Lautrbach @ 2023-04-03 13:38 UTC (permalink / raw)
To: Chris PeBenito, Dominick Grift, Stephen Smalley; +Cc: selinux
Chris PeBenito <chpebeni@linux.microsoft.com> writes:
> On 3/31/2023 16:05, Dominick Grift wrote:
>> Stephen Smalley <stephen.smalley.work@gmail.com> writes:
>>
>>> On Fri, Mar 31, 2023 at 2:26 PM Dominick Grift
>>> <dominick.grift@defensec.nl> wrote:
>>>>
>>>> Stephen Smalley <stephen.smalley.work@gmail.com> writes:
>>>>
>>>>> On Fri, Mar 31, 2023 at 8:37 AM Petr Lautrbach <lautrbach@redhat.com> wrote:
>>>>>>
>>>>>> Hi,
>>>>>>
>>>>>> I've got a question what is `sesearch --neverallow` good for and how to
>>>>>> make it work. I wasn't able to get any output from this command.
>>>>>>
>>>>>> Is it supposed to work with current userspace and policies? How?
>>>>>
>>>>> I don't see how it could work. neverallow rules aren't preserved in
>>>>> the kernel policies.
>>>>> It would only make sense if sesearch could be run on source policies or modules.
>>>>
>>>> Which according to `man sesearch` is possible, but only monolithic policy.conf.
>>>
>>> Even that doesn't seem to be supported by setools 4,
>>> $ sesearch --neverallow policy.conf
>>> Invalid policy: policy.conf. A binary policy must be specified. (use
>>> e.g. policy.33 or sepolicy) Source policies are not supported.
>>>
>>> $ rpm -q -f /usr/bin/sesearch
>>> setools-console-4.4.0-9.fc37.x86_64
>>
>> I was probably looking at the man for setools3 then. (the one on linux.die.net)
>
> I dropped source policy support some time ago. I'll remove --neverallow
> option and man page info.
>
Thanks.
Petr
^ permalink raw reply [flat|nested] 7+ messages in thread
end of thread, other threads:[~2023-04-03 13:39 UTC | newest]
Thread overview: 7+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-03-31 12:29 sesearch --neverallow Petr Lautrbach
2023-03-31 18:15 ` Stephen Smalley
2023-03-31 18:26 ` Dominick Grift
2023-03-31 19:59 ` Stephen Smalley
2023-03-31 20:05 ` Dominick Grift
2023-04-03 12:28 ` Chris PeBenito
2023-04-03 13:38 ` Petr Lautrbach
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.