Hide Forgot
Description of problem: neverallow statements should not permit me to include allow rules that contradict one another in policy. Version-Release number of selected component (if applicable): At least checkpolicy 2.0.23-2 from F14. The issue is duplicated on F15. How reproducible: Consistently. Steps to Reproduce: Create the following module: Example 1: Attempt to find any neverallows in policy: sesearch --neverallow Example 2: #============= policy_module(neverallow_test, 0.0.1) type neverallow_test_t; domain_type(neverallow_test_t) type neverallow_file_t; files_type(neverallow_file_t); neverallow neverallow_test_t neverallow_file_t: file read; allow neverallow_test_t neverallow_file_t: file read; #=============== make -f /usr/share/selinux/devel/Makefile load Actual results: Example1: No results are found for any neverallow rules. Example2: The following module compiles successfully even though it is explicitly contradicting itself in the compiler. Searching for neverallow rules from the policy just compiled produces negative results also. Expected results: Example1: I expect to see some neverallow rules - at least from base policy. Example2: The compiler should throw up an assertion error regarding the access requested. Additional info: The same holds true for modular policies requires base types (like shadow_t). Also applies to attributes too.
This does not affect EL5 but EL6 appears to be affected by this problem.
Change expand-check=0 to expand-check=1 In /etc/selinux/semanage.conf And I believe it will be enforced.
Since this version of Fedora is no longer supported I am closing this bugs. If you are still seeing this bug in a current version of fedora, please reopen the bugzilla with the appropriate version number.