Is it possible to add a 'neverallow' statement to the existing SELinux policy?
Issue
- I'm trying to override an 'allow' statement in an SELinux policy by specifying a 'neverallow' statement a custom policy source.
-
As slightly stated on http://selinuxproject.org/page/AVCRules and several other webpages it is a compile time check, thus when a binary policy is already loaded and I'm trying to override this, this fails with:
# semodule -i policy.pp libsepol.check_assertion_helper: neverallow violated by allow type_t type_t:capability { dac_override dac_read_search }; libsemanage.semanage_expand_sandbox: Expand module failed semodule: Failed! -
What I'm expected to do is still override this / remove original statement from the base policy / compile the SELinux policy source by hand and still have a supported situation by Red Hat.
Environment
- Red Hat Enterprise Linux (RHEL) 6
Subscriber exclusive content
A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.
Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.
