selinux

mirror of https://github.com/SELinuxProject/selinux synced 2025-01-03 04:02:05 +00:00

History

Christian Göttsche 6f7b0ee6c4 checkpolicy: add not-self neverallow support Add support for using negated or complemented self in the target type of neverallow rules. Some Refpolicy examples: neverallow * ~self:{ capability cap_userns capability2 cap2_userns } *; neverallow domain { domain -self -dockerc_t }:dir create; # no violations neverallow domain { domain -dockerc_t }:file ~{ append read_file_perms write }; libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:file { create setattr relabelfrom relabelto unlink link rename }; libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow spc_t spc_t:file { create }; libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow container_t container_t:file { create }; libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow chromium_t chromium_t:file { create }; libsepol.report_failure: neverallow on line 584 of policy/modules/kernel/kernel.te (or line 31357 of policy.conf) violated by allow spc_user_t spc_user_t:file { create }; libsepol.report_failure: neverallow on line 582 of policy/modules/kernel/kernel.te (or line 31355 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:dir { create }; neverallow domain { domain -self -dockerc_t }:file ~{ append read_file_perms write }; libsepol.report_failure: neverallow on line 583 of policy/modules/kernel/kernel.te (or line 31356 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:file { create setattr relabelfrom relabelto unlink link rename }; libsepol.report_failure: neverallow on line 582 of policy/modules/kernel/kernel.te (or line 31355 of policy.conf) violated by allow sysadm_t httpd_bugzilla_script_t:dir { create }; Using negated self in a complement, `~{ domain -self }`, is not supported. Signed-off-by: Christian Göttsche <cgzones@googlemail.com>		2023-03-30 15:08:42 -04:00
..
.gitignore	Repo: update .gitignore	2011-08-02 13:31:51 -04:00
dismod.c	checkpolicy: add not-self neverallow support	2023-03-30 15:08:42 -04:00
dispol.c	checkpolicy: simplify string copying	2022-11-21 14:30:06 -05:00
Makefile	checkpolicy: drop -pipe compile option	2021-07-13 21:02:04 +02:00