Is it possible to add a 'neverallow' statement to the existing SELinux policy?

Solution Unverified - Updated -

Issue

  • I'm trying to override an 'allow' statement in an SELinux policy by specifying a 'neverallow' statement a custom policy source.
  • As slightly stated on http://selinuxproject.org/page/AVCRules and several other webpages it is a compile time check, thus when a binary policy is already loaded and I'm trying to override this, this fails with:

    # semodule -i policy.pp
    libsepol.check_assertion_helper: neverallow violated by allow type_t type_t:capability { dac_override dac_read_search };
    libsemanage.semanage_expand_sandbox: Expand module failed
    semodule:  Failed!
    
  • What I'm expected to do is still override this / remove original statement from the base policy / compile the SELinux policy source by hand and still have a supported situation by Red Hat.

Environment

  • Red Hat Enterprise Linux (RHEL) 6

Subscriber exclusive content

A Red Hat subscription provides unlimited access to our knowledgebase of over 48,000 articles and solutions.

Current Customers and Partners

Log in for full access

Log In
Close

Welcome! Check out the Getting Started with Red Hat page for quick tours and guides for common tasks.