0

I intend to use 'enforce' selinux mode. First, i boot in permissive mode ( enforcing=0 in kernel cmdline ). After login in system, i collect all selinux policy violation from auditd logs and try to create selinux module to allow such actions, but get "neverallow violated"

root@amalthea:~# ausearch  -m avc > ausearch.result
root@amalthea:~# cat ausearch.result | audit2allow -M local 
******************** IMPORTANT ***********************
To make this policy package active, execute:

semodule -i local.pp
root@amalthea:~# semodule -v -i local.pp 
Attempting to install module 'local.pp':
Ok: return value of 0.
Committing changes:
libsepol.check_assertion_helper: neverallow violated by allow system_dbusd_t shadow_t:file { read };
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!

How does this happen if current policy does NOT have any neverallow?

root@amalthea:~# seinfo  | egrep -i 'constraints|neverallow'
   Allow:           55455    Neverallow:          0
   Constraints:       137    Validatetrans:       0

Thanks in advance

update1 i installed source package with selinux policy and get 'neverallow' in it. But I don't understand why 'seinfo' say there is no neverallow in current policy.

root@amalthea:~# seinfo  | egrep -i 'constraints|neverallow'
   Allow:           55455    Neverallow:          0
   Constraints:       137    Validatetrans:       0
Oleg Korchagin
  • 126
  • 1
  • 9
  • Before you blindly make a policy, you should check to see what it is doing first! Use `audit2allow` or `audit2why`. – Michael Hampton Nov 24 '13 at 07:10
  • 1
    http://danwalsh.livejournal.com/12333.html – user9517 Nov 24 '13 at 07:23
  • > Before you blindly make a policy, you should check to see what it is doing first! Use audit2allow or audit2why yes, certainly. But I just starting to lean selinux and try to do elementary things, but not deep inspection of selinux policy;) And get questions, if error occured. – Oleg Korchagin Nov 24 '13 at 09:23
  • >danwalsh.livejournal.com/12333.html I have read this blog post yesterday. It does not expain how i can find certain constrain. And i was surprised that 'seinfo' display 'Neverallow: 0' Now i install source of selinux policy and find the neverallow constrain by grep. Thanks – Oleg Korchagin Nov 24 '13 at 09:34

0 Answers0