Bug 718558

Summary: checkpolicy ignores neverallow statements when compiling.
Product: [Fedora] Fedora Reporter: Matthew Ife <matthew.ife>
Component: checkpolicyAssignee: Daniel Walsh <dwalsh>
Status: CLOSED CURRENTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: high Docs Contact:
Priority: unspecified    
Version: 15CC: dwalsh, eparis, mgrepl, sdsmall
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-07-27 13:22:38 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Matthew Ife 2011-07-03 22:00:14 UTC 
Description of problem:
neverallow statements should not permit me to include allow rules that contradict one another in policy.

Version-Release number of selected component (if applicable):
At least checkpolicy 2.0.23-2 from F14. The issue is duplicated on F15.

How reproducible:
Consistently.

Steps to Reproduce:
Create the following module:

Example 1:
Attempt to find any neverallows in policy:
sesearch --neverallow

Example 2:
#=============
policy_module(neverallow_test, 0.0.1)

type neverallow_test_t;
domain_type(neverallow_test_t)

type neverallow_file_t;
files_type(neverallow_file_t);

neverallow neverallow_test_t neverallow_file_t: file read;
allow neverallow_test_t neverallow_file_t: file read;
#===============
make -f /usr/share/selinux/devel/Makefile load

  
Actual results:
Example1: No results are found for any neverallow rules.
Example2: The following module compiles successfully even though it is explicitly contradicting itself in the compiler.
Searching for neverallow rules from the policy just compiled produces negative results also.

Expected results:
Example1: I expect to see some neverallow rules - at least from base policy.
Example2: The compiler should throw up an assertion error regarding the access requested.

Additional info:

The same holds true for modular policies requires base types (like shadow_t). Also applies to attributes too.
Comment 1 Matthew Ife 2011-07-03 22:07:31 UTC 
This does not affect EL5 but EL6 appears to be affected by this problem.
Comment 2 Daniel Walsh 2011-07-05 19:39:07 UTC 
Change 

expand-check=0

to 

expand-check=1

In /etc/selinux/semanage.conf

And I believe it will be enforced.
Comment 3 Daniel Walsh 2012-07-27 13:22:38 UTC 
Since this version of Fedora is no longer supported I am closing this bugs.  If you are still seeing this bug in a current version of fedora, please reopen the bugzilla with the appropriate version number.