Is it possible to add a 'neverallow' statement to the existing SELinux policy?

Solution Unverified - Updated -

Issue

  • I'm trying to override an 'allow' statement in an SELinux policy by specifying a 'neverallow' statement a custom policy source.

  • As slightly stated on http://selinuxproject.org/page/AVCRules and several other webpages it is a compile time check, thus when a binary policy is already loaded and I'm trying to override this, this fails with:

    # semodule -i policy.pp
libsepol.check_assertion_helper: neverallow violated by allow type_t type_t:capability { dac_override dac_read_search };
libsemanage.semanage_expand_sandbox: Expand module failed
semodule:  Failed!

  • What I'm expected to do is still override this / remove original statement from the base policy / compile the SELinux policy source by hand and still have a supported situation by Red Hat.

Environment

  • Red Hat Enterprise Linux (RHEL) 6

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase, tools, and much more.

Current Customers and Partners

Log in for full access

Log In

New to Red Hat?

Learn more about Red Hat subscriptions

Using a Red Hat product through a public cloud?

How to access this content