AVCRules - Revision history http://selinuxproject.org/w/?title=AVCRules&action=history Revision history for this page on the wiki en MediaWiki 1.23.13 Thu, 28 Mar 2024 21:50:24 GMT RichardHaines: /* neverallow */ http://selinuxproject.org/w/?title=AVCRules&diff=1776&oldid=prev http://selinuxproject.org/w/?title=AVCRules&diff=1776&oldid=prev <p>‎<span dir="auto"><span class="autocomment">neverallow</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 11:08, 21 July 2015</td> </tr><tr><td colspan="2" class="diff-lineno">Line 190:</td> <td colspan="2" class="diff-lineno">Line 190:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| [[Bounds Rules | '''Previous''']]</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| [[Bounds Rules | '''Previous''']]</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| &lt;center&gt;[[NewUsers | '''Home''']]&lt;/center&gt;</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>| &lt;center&gt;[[NewUsers | '''Home''']]&lt;/center&gt;</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>| &lt;center&gt;[[<del class="diffchange diffchange-inline">ObjectClassStatements </del>| '''Next''']]&lt;/center&gt;</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>| &lt;center&gt;[[<ins class="diffchange diffchange-inline">XpermRules </ins>| '''Next''']]&lt;/center&gt;</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|}</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>|}</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> </table> Tue, 21 Jul 2015 11:08:20 GMT RichardHaines http://selinuxproject.org/page/Talk:AVCRules RichardHaines: /* Access Vector Rules */ http://selinuxproject.org/w/?title=AVCRules&diff=1772&oldid=prev http://selinuxproject.org/w/?title=AVCRules&diff=1772&oldid=prev <p>‎<span dir="auto"><span class="autocomment">Access Vector Rules</span></span></p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 11:01, 21 July 2015</td> </tr><tr><td colspan="2" class="diff-lineno">Line 1:</td> <td colspan="2" class="diff-lineno">Line 1:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>= Access Vector Rules =</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>= Access Vector Rules =</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The AV rules define what access control privileges are allowed for processes. There are four types of AV rule: allow, dontaudit, auditallow, and neverallow as explained in the sections that follow with a number of examples to cover all the scenarios. There is also an auditdeny rule, however it is no longer used in the Reference Policy and has been replaced by the dontaudit rule.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The AV rules define what access control privileges are allowed for processes. There are four types of AV rule: allow, dontaudit, auditallow, and neverallow as explained in the sections that follow with a number of examples to cover all the scenarios. There is also an auditdeny rule, however it is no longer used in the Reference Policy and has been replaced by the dontaudit rule.</div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;"></ins></div></td></tr> <tr><td colspan="2">&#160;</td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div><ins style="font-weight: bold; text-decoration: none;">From Policy version 30 with the target platform &lt;tt&gt;selinux&lt;/tt&gt;, the AVC rules have been extended to expand the permission sets from a fixed 32 bits to permission sets in 256 bit increments. The format of the new &lt;tt&gt;allowxperm&lt;/tt&gt;, &lt;tt&gt;dontauditxperm&lt;/tt&gt; and &lt;tt&gt;auditallowxperm&lt;/tt&gt; rules are discussed in the [[XpermRules | Extended Permission Access Vector Rules]] section.</ins></div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The general format of an AV rule is that the source_type is the identifier of a process that is attempting to access an object identifier target_type, that has an object class of class, and perm_set defines the access permissions source_type is allowed.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The general format of an AV rule is that the source_type is the identifier of a process that is attempting to access an object identifier target_type, that has an object class of class, and perm_set defines the access permissions source_type is allowed.</div></td></tr> </table> Tue, 21 Jul 2015 11:01:24 GMT RichardHaines http://selinuxproject.org/page/Talk:AVCRules RichardHaines at 15:41, 11 December 2014 http://selinuxproject.org/w/?title=AVCRules&diff=1739&oldid=prev http://selinuxproject.org/w/?title=AVCRules&diff=1739&oldid=prev <p></p> <a href="http://selinuxproject.org/w/?title=AVCRules&amp;diff=1739&amp;oldid=1011">Show changes</a> Thu, 11 Dec 2014 15:41:16 GMT RichardHaines http://selinuxproject.org/page/Talk:AVCRules Jaxelson: added internal links for rule types http://selinuxproject.org/w/?title=AVCRules&diff=1011&oldid=prev http://selinuxproject.org/w/?title=AVCRules&diff=1011&oldid=prev <p>added internal links for rule types</p> <table class='diff diff-contentalign-left'> <col class='diff-marker' /> <col class='diff-content' /> <col class='diff-marker' /> <col class='diff-content' /> <tr style='vertical-align: top;'> <td colspan='2' style="background-color: white; color:black; text-align: center;">← Older revision</td> <td colspan='2' style="background-color: white; color:black; text-align: center;">Revision as of 20:02, 31 August 2010</td> </tr><tr><td colspan="2" class="diff-lineno">Line 1:</td> <td colspan="2" class="diff-lineno">Line 1:</td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>= Access Vector Rules =</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>= Access Vector Rules =</div></td></tr> <tr><td class='diff-marker'>−</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #ffe49c; vertical-align: top; white-space: pre-wrap;"><div>The AV rules define what access control privileges are allowed for processes. There are four types of AV rule: allow, dontaudit, auditallow, and neverallow as explained in the sections that follow with a number of examples to cover all the scenarios. There is also an auditdeny rule, however it is no longer used in the Reference Policy and has been replaced by the dontaudit rule.</div></td><td class='diff-marker'>+</td><td style="color:black; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #a3d3ff; vertical-align: top; white-space: pre-wrap;"><div>The AV rules define what access control privileges are allowed for processes. There are four types of AV rule: <ins class="diffchange diffchange-inline">[[#</ins>allow <ins class="diffchange diffchange-inline">Rule|allow]]</ins>, <ins class="diffchange diffchange-inline">[[#</ins>dontaudit <ins class="diffchange diffchange-inline">Rule|dontaudit]]</ins>, <ins class="diffchange diffchange-inline">[[#</ins>auditallow <ins class="diffchange diffchange-inline">Rule|auditallow]]</ins>, and <ins class="diffchange diffchange-inline">[[#neverallow Rule|</ins>neverallow<ins class="diffchange diffchange-inline">]] </ins>as explained in the sections that follow with a number of examples to cover all the scenarios. There is also an auditdeny rule, however it is no longer used in the Reference Policy and has been replaced by the dontaudit rule.</div></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"></td></tr> <tr><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The general format of an AV rule is that the source_type is the identifier of a process that is attempting to access an object identifier target_type, that has an object class of class, and perm_set defines the access permissions source_type is allowed.</div></td><td class='diff-marker'>&#160;</td><td style="background-color: #f9f9f9; color: #333333; font-size: 88%; border-style: solid; border-width: 1px 1px 1px 4px; border-radius: 0.33em; border-color: #e6e6e6; vertical-align: top; white-space: pre-wrap;"><div>The general format of an AV rule is that the source_type is the identifier of a process that is attempting to access an object identifier target_type, that has an object class of class, and perm_set defines the access permissions source_type is allowed.</div></td></tr> </table> Tue, 31 Aug 2010 20:02:27 GMT Jaxelson http://selinuxproject.org/page/Talk:AVCRules RichardHaines: New page: = Access Vector Rules = The AV rules define what access control privileges are allowed for processes. There are four types of AV rule: allow, dontaudit, auditallow, and neverallow as expla... http://selinuxproject.org/w/?title=AVCRules&diff=837&oldid=prev http://selinuxproject.org/w/?title=AVCRules&diff=837&oldid=prev <p>New page: = Access Vector Rules = The AV rules define what access control privileges are allowed for processes. There are four types of AV rule: allow, dontaudit, auditallow, and neverallow as expla...</p> <p><b>New page</b></p><div>= Access Vector Rules =<br /> The AV rules define what access control privileges are allowed for processes. There are four types of AV rule: allow, dontaudit, auditallow, and neverallow as explained in the sections that follow with a number of examples to cover all the scenarios. There is also an auditdeny rule, however it is no longer used in the Reference Policy and has been replaced by the dontaudit rule.<br /> <br /> The general format of an AV rule is that the source_type is the identifier of a process that is attempting to access an object identifier target_type, that has an object class of class, and perm_set defines the access permissions source_type is allowed.<br /> <br /> <br /> '''The common format of the Access Vector Rule is:'''<br /> &lt;pre&gt;<br /> rule_name source_type target_type : class perm_set;<br /> &lt;/pre&gt;<br /> <br /> <br /> '''Where:'''<br /> {|border=&quot;1&quot;<br /> |rule_name<br /> |The applicable allow, dontaudit, auditallow, and neverallow rule keyword.<br /> <br /> |-<br /> |source_type<br /> <br /> target_type<br /> |One or more source / target type or attribute identifiers. Multiple entries consist of a space separated list enclosed in braces ({}). Entries can be excluded from the list by using the negative operator (-).<br /> <br /> The target_type can have the self keyword instead of type or attribute identifiers. This means that the target_type is the same as the source_type.<br /> <br /> The neverallow rule also supports the wildcard operator (&lt;nowiki&gt;*&lt;/nowiki&gt;) to specify that all types are to be included and the complement operator (~) to specify all types are to be included except those explicitly listed.<br /> <br /> |-<br /> |class<br /> |One or more object classes. Multiple entries consist of a space separated list enclosed in braces ({}).<br /> <br /> |-<br /> |perm_set<br /> |The access permissions the source is allowed to access for the target object (also known as the Access Vector). Multiple entries consist of a space separated list enclosed in braces ({}). <br /> <br /> The optional wildcard operator (&lt;nowiki&gt;*&lt;/nowiki&gt;) specifies that all permissions for the object class can be used. <br /> <br /> The complement operator (~) is used to specify all permissions except those explicitly listed (although the compiler issues a warning if the dontaudit rule has '~').<br /> <br /> |}<br /> <br /> <br /> '''The statements are valid in:'''<br /> {|border=&quot;1&quot;<br /> |&lt;center&gt;'''Monolithic Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Base Policy'''&lt;/center&gt;<br /> |&lt;center&gt;'''Module Policy'''&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> |&lt;center&gt;Yes&lt;/center&gt;<br /> <br /> |-<br /> |&lt;center&gt;'''Conditional Policy (if) Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''optional Statement'''&lt;/center&gt;<br /> |&lt;center&gt;'''require Statement'''&lt;/center&gt;<br /> <br /> |-<br /> |allow = Yes<br /> <br /> auditallow = Yes<br /> <br /> dontaudit = Yes<br /> <br /> neverallow = No<br /> |allow = Yes<br /> <br /> auditallow = Yes<br /> <br /> dontaudit = Yes<br /> <br /> neverallow = Yes<br /> |allow = No<br /> <br /> auditallow = No<br /> <br /> dontaudit = No<br /> <br /> neverallow = No<br /> <br /> |}<br /> <br /> <br /> == allow Rule ==<br /> The allow rule checks whether the operations between the source_type and target_type are allowed. It is the most common statement that many of the Reference Policy helper macros and interface definitions expand into multiple allow rules.<br /> <br /> <br /> '''Examples:'''<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# Using the &lt;/nowiki&gt;allow rule to show that initrc_t is allowed access <br /> &lt;nowiki&gt;# to files of type &lt;/nowiki&gt;acct_exec_t that have the getattr, read and <br /> &lt;nowiki&gt;# &lt;/nowiki&gt;execute file permissions:<br /> <br /> allow initrc_t acct_exec_t:file { getattr read execute };<br /> &lt;/pre&gt;<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# This rule includes an attribute &lt;/nowiki&gt;filesystem_type and states <br /> &lt;nowiki&gt;# that &lt;/nowiki&gt;kernel_t is allowed mount permissions on the filesystem<br /> &lt;nowiki&gt;# object for all types associated to the &lt;/nowiki&gt;filesystem_type <br /> &lt;nowiki&gt;# attribute:&lt;/nowiki&gt;<br /> <br /> allow kernel_t filesystem_type:filesystem mount;<br /> &lt;/pre&gt;<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# This rule includes the &lt;/nowiki&gt;self keyword in the target_type that<br /> &lt;nowiki&gt;# &lt;/nowiki&gt;states that staff_t is allowed setgid, chown and fowner <br /> &lt;nowiki&gt;# permissions on the &lt;/nowiki&gt;capability object:<br /> <br /> allow staff_t self:capability { setgid chown fowner };<br /> <br /> &lt;nowiki&gt;# This would be the same as the above:&lt;/nowiki&gt;<br /> <br /> allow staff_t staff_t:capability { setgid chown fowner };<br /> &lt;/pre&gt;<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# This rule includes the wildcard operator (*) on the &lt;/nowiki&gt;perm_set<br /> &lt;nowiki&gt;# and &lt;/nowiki&gt;states that bootloader_t is allowed to use all permissions<br /> &lt;nowiki&gt;# available on the dbus object that are type &lt;/nowiki&gt;system_dbusd_t:<br /> <br /> allow bootloader_t system_dbusd_t:dbus *;<br /> <br /> &lt;nowiki&gt;# This would be the same as the above:&lt;/nowiki&gt;<br /> <br /> allow bootloader_t system_dbusd_t:dbus { acquire_svc send_msg }&lt;nowiki&gt;;&lt;/nowiki&gt;<br /> &lt;/pre&gt;<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# This rule includes the &lt;/nowiki&gt;complement operator (~) on the perm_set<br /> &lt;nowiki&gt;# and two class entries &lt;/nowiki&gt;file and chr_file.<br /> &lt;nowiki&gt;#&lt;/nowiki&gt;<br /> &lt;nowiki&gt;# The allow rule &lt;/nowiki&gt;states that all types associated with the <br /> &lt;nowiki&gt;# attribute &lt;/nowiki&gt;files_unconfined_type are allowed to use all <br /> &lt;nowiki&gt;# permissions available on the &lt;/nowiki&gt;file and chr_file objects except<br /> &lt;nowiki&gt;# the &lt;/nowiki&gt;execmod permission when they are associated to the types <br /> &lt;nowiki&gt;# listed within the attribute &lt;/nowiki&gt;file_type:<br /> <br /> allow files_unconfined_type file_type:{ file chr_file } ~execmod;<br /> &lt;/pre&gt;<br /> <br /> <br /> == dontaudit Rule ==<br /> The dontaudit rule stops the auditing of denial messages as it is know that this event always happens and does not cause any real issues. This also helps to manage the audit log by excluding known events.<br /> <br /> <br /> '''Example:'''<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# Using the &lt;/nowiki&gt;dontaudit rule to stop auditing events that are <br /> &lt;nowiki&gt;# known to happen. The rule states that when the &lt;/nowiki&gt;traceroute_t <br /> &lt;nowiki&gt;# process is denied access to the &lt;/nowiki&gt;name_bind permission on a <br /> &lt;nowiki&gt;# &lt;/nowiki&gt;tcp_socket for all types associated to the port_type <br /> &lt;nowiki&gt;# attribute (&lt;/nowiki&gt;except port_t), then do not audit the event:<br /> <br /> dontaudit traceroute_t { port_type -port_t }:tcp_socket name_bind;<br /> &lt;/pre&gt;<br /> <br /> <br /> == auditallow Rule ==<br /> Audit the event as a record as it is useful for auditing purposes. Note that this rule only audits the event, it still requires the allow rule to grant permission.<br /> <br /> <br /> '''Example:'''<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# Using the &lt;/nowiki&gt;auditallow rule to force an audit event to be <br /> &lt;nowiki&gt;# logged. The rule states that when the &lt;/nowiki&gt;ada_t process has &lt;nowiki&gt;# permission to &lt;/nowiki&gt;execstack, then that event must be audited:<br /> <br /> auditallow ada_t self:process execstack;<br /> &lt;/pre&gt;<br /> <br /> <br /> == neverallow Rule ==<br /> This rule specifies that an allow Rule must not be generated for the operation, even if it has been previously allowed. The neverallow statement is a compiler enforced action, where the checkpolicy or checkmodule compiler checks if any allow rules have been generated in the policy source, if so it will issue a warning and stop.<br /> <br /> <br /> '''Examples''':<br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# Using the &lt;/nowiki&gt;neverallow rule to state that no allow rule may ever<br /> &lt;nowiki&gt;# grant any &lt;/nowiki&gt;file read access to type shadow_t except those <br /> &lt;nowiki&gt;# associated with the &lt;/nowiki&gt;can_read_shadow_passwords attribute:<br /> <br /> neverallow ~can_read_shadow_passwords shadow_t:file read;<br /> &lt;/pre&gt;<br /> <br /> &lt;pre&gt;<br /> &lt;nowiki&gt;# Using the &lt;/nowiki&gt;neverallow rule to state that no allow rule may ever<br /> &lt;nowiki&gt;# grant &lt;/nowiki&gt;mmap_zero permissions any type associated to the domain <br /> &lt;nowiki&gt;# attribute &lt;/nowiki&gt;except those associated to the mmap_low_domain_type<br /> &lt;nowiki&gt;# attribute (as these have been excluded by the negative &lt;/nowiki&gt;<br /> &lt;nowiki&gt;# operator (-)):&lt;/nowiki&gt;<br /> <br /> neverallow { domain -mmap_low_domain_type } self:memprotect mmap_zero;<br /> &lt;/pre&gt;</div> Sun, 29 Nov 2009 15:09:49 GMT RichardHaines http://selinuxproject.org/page/Talk:AVCRules