Bug 718558 - checkpolicy ignores neverallow statements when compiling.
Summary: checkpolicy ignores neverallow statements when compiling.
Keywords:
Status: CLOSED CURRENTRELEASE
Alias: None
Product: Fedora
Classification: Fedora
Component: checkpolicy
Version: 15
Hardware: x86_64
OS: Linux
unspecified
high
Target Milestone: ---
Assignee: Daniel Walsh
QA Contact: Fedora Extras Quality Assurance
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2011-07-03 22:00 UTC by Matthew Ife
Modified: 2012-07-27 13:22 UTC (History)
4 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-07-27 13:22:38 UTC
Type: ---


Attachments (Terms of Use)

Description Matthew Ife 2011-07-03 22:00:14 UTC
Description of problem:
neverallow statements should not permit me to include allow rules that contradict one another in policy.

Version-Release number of selected component (if applicable):
At least checkpolicy 2.0.23-2 from F14. The issue is duplicated on F15.

How reproducible:
Consistently.

Steps to Reproduce:
Create the following module:

Example 1:
Attempt to find any neverallows in policy:
sesearch --neverallow

Example 2:
#=============
policy_module(neverallow_test, 0.0.1)

type neverallow_test_t;
domain_type(neverallow_test_t)

type neverallow_file_t;
files_type(neverallow_file_t);

neverallow neverallow_test_t neverallow_file_t: file read;
allow neverallow_test_t neverallow_file_t: file read;
#===============
make -f /usr/share/selinux/devel/Makefile load

  
Actual results:
Example1: No results are found for any neverallow rules.
Example2: The following module compiles successfully even though it is explicitly contradicting itself in the compiler.
Searching for neverallow rules from the policy just compiled produces negative results also.

Expected results:
Example1: I expect to see some neverallow rules - at least from base policy.
Example2: The compiler should throw up an assertion error regarding the access requested.

Additional info:

The same holds true for modular policies requires base types (like shadow_t). Also applies to attributes too.

Comment 1 Matthew Ife 2011-07-03 22:07:31 UTC
This does not affect EL5 but EL6 appears to be affected by this problem.

Comment 2 Daniel Walsh 2011-07-05 19:39:07 UTC
Change 

expand-check=0

to 

expand-check=1

In /etc/selinux/semanage.conf

And I believe it will be enforced.

Comment 3 Daniel Walsh 2012-07-27 13:22:38 UTC
Since this version of Fedora is no longer supported I am closing this bugs.  If you are still seeing this bug in a current version of fedora, please reopen the bugzilla with the appropriate version number.


Note You need to log in before you can comment on or make changes to this bug.