forked from SELinuxProject/selint
-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathREADME
203 lines (149 loc) · 6.43 KB
/
README
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
SUMMARY
SELint is a program to perform static code analysis on SELinux policy
source files
INSTALLING FROM TAR DOWNLOAD
To install from a downloaded tarball, first install the following dependencies:
On rpm based distros:
uthash-devel
libconfuse
libconfuse-devel
check
check-devel
On apt based distros:
uthash-dev
libconfuse-dev
check
Then run:
./configure
make
make install
INSTALLING FROM GIT
If you are building from a git repo checkout, you'll also need bison, flex,
autotools (automake, autoconf, aclocal, autoreconf) and the autoconf-archive package.
Then you can run ./autogen.sh to set up autotools and then follow the steps above.
USAGE
selint [OPTIONS] FILE [...]
OPTIONS
-c CONFIGFILE, --config=CONFIGFILE
Override default config with config specified on command line. See
CONFIGURATION section for config file syntax.
--color=COLOR_OPTION
Configure color output. Options are on, off and auto (the default).
--context=CONTEXT_PATH
Also parse any .te or .if files found in CONTEXT_PATH and load symbols
associated with them for use when checking the policy files to be analyzed.
No checks are run on these files. Implies -s.
--debug-parser
Enable debug output for the internal policy parser.
Very noisy, useful to debug parsing failures.
-d CHECKID, --disable=CHECKID
Disable check with the given ID.
-e CHECKID, --enable=CHECKID
Enable check with the given ID.
-E, --only-enabled
Only run checks that are explicitly enabled with the --enable option.
-F, --fail
Exit with a non-zero value if any issue was found.
-h, --help
Show help menu about command line options.
-l LEVEL, --level=LEVEL
Only list errors with a severity level at or greater than LEVEL. Options
are C (convention), S (style), W (warning), E (error), F (fatal error). See
SEVERITY LEVELS for more information. If this option is not specified,
SELint will default to the level selected in the applicable config file.
--scan-hidden-dirs
Scan hidden directories. By default hidden directories (like '.git') are
skipped in recursive mode.
-s, --source
Run in "source mode" to scan a policy source repository that is designed to
compile into a full system policy. If this flag is not specified, SELint
will assume that scanned policy files are intended to be loaded into the
currently running system policy.
-S, --summary
Display a summary of issues found after running the analysis.
--summary-only
Only display a summary of issues found after running the analysis.
Do not show the individual findings. Implies -S.
-r, --recursive
Scan recursively and check all SELinux policy files found.
-v, --verbose
Enable verbose output
-V, --version
Show version information and exit.
CONFIGURATION
A global configuration is specified at the install prefix supplied to
./configure (typically /usr/local/etc). This can be overridden on the command
line using the -c option.
Options specified on the command line override options from the config file.
See the global config file for details on config file syntax.
SEVERITY LEVELS
SELint messages are assocatied with a severity level, indicating the
significance of the issue. Available levels are listed below in increasing
order of significance.
X (extra) - Miscellaneous checks, mainly for policy introspection.
These must be explicitly enabled with their individual identifier.
C (convention) - A violation of common style conventions
S (style) - Stylistic "code smell" that may be associated with unintended
behavior
W (warning) - Non standard policy that may result in issues such as run time
errors or security issues
E (error) - Important issues that may result in errors at compile time or
run time
F (fatal error) - Error that prevents further processing
SELINT EXCEPTIONS
To eliminate one or more checks on one line, add a comment containing a string
in any of the following formats:
* "selint-disable:E-003"
* "selint-disable: E-003"
* "selint-disable:E-003,E-004"
* "selint-disable: E-003, E-004"
This is currently only supported in te and if files
OUTPUT
SELint outputs messages in the following format:
[filename]:[lineno]: ([SEVERITY LEVEL]): [MESSAGE] ([ISSUE ID])
For example:
example.te:127: (E) Interface from module not in optional_policy block (E-001)
CHECK IDS
The following checks may be performed:
X-001: Unused interface or template declaration
X-002: AV rule with excluded source or target (can affect policy binary size)
C-001: Violation of refpolicy te file ordering conventions
C-004: Interface does not have documentation comment
C-005: Permissions in av rule or class declaration not ordered
C-006: Declarations in require block not ordered
C-007: Redundant type specification instead of self keyword
C-008: Conditional expression identifier from foreign module
S-001: Require block used instead of interface call
S-002: File context file labels with type not declared in module
S-003: Unnecessary semicolon
S-004: Template call from an interface
S-005: Declaration in interface
S-006: Bare module statement
S-007: Call to gen_context omits mls component
S-008: Unquoted gen_require block
S-009: Permission macro suffix does not match class name
S-010: Permission macro usage suggested
W-001: Type or attribute referenced without explicit declaration
W-002: Type, attribute or role used but not listed in require block in interface
W-003: Unused type, attribute or role listed in require block
W-004: Potentially unescaped regex character in file contexts paths
W-005: Interface call from module not in optional_policy block
W-006: Interface call with empty argument
W-007: Unquoted space in argument of interface call
W-008: Allow rule with complement or wildcard permission
W-009: Module name does not match file name
W-010: Call to unknown interface
W-011: Declaration in require block not defined in own module
W-012: Conditional expression contains unknown identifier
W-013: Incorrect usage of audit_access permission
E-002: Bad file context format
E-003: Nonexistent user listed in fc file
E-004: Nonexistent role listed in fc file
E-005: Nonexistent type listed in fc file
E-006: Declaration and interface with same name
E-007: Usage of unknown permission or permission macro
E-008: Usage of unknown class
E-009: Empty optional or require macro block
E-010: Usage of unknown simple m4 macro or stray word
F-001: Policy syntax error prevents further processing
F-002: Internal error in SELint