Ensuring an SELinux rule is never allowed
It is possible to include statements in the SELinux policy that ensure that a particular access vector cannot be allowed, not even by enhancing the SELinux policy later. This is done with the neverallow statement.
How to do it…
To include the neverallow statements in the policy and enforce them, go through the following steps:
In
/etc/selinux/semanage.conf, enable support for theneverallowstatements by setting theexpand-checkvariable to1:expand-check=1
Create an SELinux policy in which the access vectors that should be explicitly forbidden are listed. Consider the following instance:
neverallow user_t system_mail_t:process transition;
Build and load the policy.
Generate another policy that will allow the statement and attempt to load it:
~$ semodule -i mytest.pp libsepol.check_assertion_helper: neverallow violated by allow user_t system_mail_t:process { transition }; libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed!
