Ensuring an SELinux rule is never allowed
It is possible to include statements in the SELinux policy that ensure that a particular access vector cannot be allowed, not even by enhancing the SELinux policy later. This is done with the neverallow statement.
How to do itβ¦
To include the neverallow statements in the policy and enforce them, go through the following steps:
In
/etc/selinux/semanage.conf, enable support for theneverallowstatements by setting theexpand-checkvariable to1:expand-check=1
Create an SELinux policy in which the access vectors that should be explicitly forbidden are listed. Consider the following instance:
neverallow user_t system_mail_t:process transition;
Build and load the policy.
Generate another policy that will allow the statement and attempt to load it:
~$ semodule -i mytest.pp libsepol.check_assertion_helper: neverallow violated by allow user_t system_mail_t:process { transition }; libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed!
