Statement precedence/priority (neverallow)
Mr Dash Four
mr.dash.four at googlemail.com
Tue Sep 21 11:18:25 UTC 2010
In the standard policy most of the kernel/service modules allow access
to unlabelled traffic, interfaces and nodes.
I have a simple question regarding this: if I were to write an
additional module and include neverallow statement to deny previously
granted access to such resources would this be enough (my understanding
of neverallow is that it just checks whether previous 'allow' statements
were issued and if so, generates a warning and stops)?
If neverallow is not the way to go, what could I do, short of altering
every single policy file and remove the appropriate allow statements, to
disable such access to the above resources?
More information about the selinux
mailing list