|
|
Assertions
-
allows the policy writer to define a set of TE acess vector
assertions which are checked by the policy compiler
-
used to detect errors in the TE access vector rules that may
be not evident from a manual inspection of the rules
-
specifies permissions which should not be used in an access
vector for a given type pair and class
neverallow domain ~domain:process transition;
neverallow ~{ kmod_t insmod_t rmmod_t ifconfig_t }
self:capability sys_module;
neverallow local_login_t ~login_exec_t:file entrypoint;
|