selinux January 2010 archive
Main Archive Page > Month Archives  > selinux archives
selinux: Re: Stopping COTS from accessing root directory

Re: Stopping COTS from accessing root directory

From: Stephen Smalley <sds_at_nospam>
Date: Fri Jan 29 2010 - 15:25:35 GMT
To: Gregg Tomas <>

On Thu, 2010-01-28 at 16:28 -0800, Gregg Tomas wrote:
> Hello Everyone,
> Bare with me, I am fairly new to SELinux policy writing.
> How do you write a rule to stop an application from accessing the root
> (/) directory?
> I am running Open Office (openoffice_exec_t) and whenever I open the
> open dialog (From the menubar, File -> Open) , on the top right of the
> open dialog, there are 3 buttons. The left most button is the "up one
> level" button. If you click and hold your mouse left button down on
> it, a sub menu appears and display a menu item called Workplace. If I
> click on it, it will bring you to root directory (/). I am trying to
> prevent that. I have a neverallow rule in my test.te:
> neverallow openoffice_exec_t root_t:dir { search };
> However, it still transitions there after I touch /.autorelabel and
> reboot.
> Thanks.

neverallow rules are assertions that are checked by the policy compiler. They are not "deny" rules (nor is there such a thing in SELinux), and they do not remove allow rules. They just cause a policy build to fail if they are violated. They only get checked if you set expand-check=1 in your /etc/selinux/semanage.conf or you perform a local build via semodule_link and semodule_expand (as is done in the make validate target of refpolicy). -- Stephen Smalley National Security Agency -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to with the words "unsubscribe selinux" without quotes as the message.