Codebase list selint / HEAD
HEAD

Tree @HEAD (Download .tar.gz) 

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
SUMMARY

	SELint is a program to perform static code analysis on SELinux policy
	source files


INSTALLING FROM TAR DOWNLOAD

	To install from a downloaded tarball, first install the following dependencies:

	On rpm based distros:
		uthash-devel
		libconfuse
		libconfuse-devel
		check
		check-devel

	On apt based distros:
		uthash-dev
		libconfuse-dev
		check

	Then run:

	./configure
	make
	make install

INSTALLING FROM GIT

	If you are building from a git repo checkout, you'll also need bison, flex,
	autotools (automake, autoconf, aclocal, autoreconf) and the autoconf-archive package.
	Then you can run ./autogen.sh to set up autotools and then follow the steps above.

USAGE

	selint [OPTIONS] FILE [...]

OPTIONS

	-c CONFIGFILE, --config=CONFIGFILE
		Override default config with config specified on command line.  See
		CONFIGURATION section for config file syntax.

	--color=COLOR_OPTION
		Configure color output.  Options are on, off and auto (the default).

	--context=CONTEXT_PATH
		Also parse any .te or .if files found in CONTEXT_PATH and load symbols
		associated with them for use when checking the policy files to be analyzed.
		No checks are run on these files. Implies -s.

	--debug-parser
		Enable debug output for the internal policy parser.
		Very noisy, useful to debug parsing failures.

	-d CHECKID, --disable=CHECKID
		Disable check with the given ID.

	-e CHECKID, --enable=CHECKID
		Enable check with the given ID.

	-E, --only-enabled
		Only run checks that are explicitly enabled with the --enable option.

	-F, --fail
		Exit with a non-zero value if any issue was found.

	-h, --help
		Show help menu about command line options.

	-l LEVEL, --level=LEVEL
		Only list errors with a severity level at or greater than LEVEL.  Options
		are C (convention), S (style), W (warning), E (error), F (fatal error).  See
		SEVERITY LEVELS for more information.  If this option is not specified,
		SELint will default to the level selected in the applicable config file.

	--scan-hidden-dirs
		Scan hidden directories.  By default hidden directories (like '.git') are
		skipped in recursive mode.

	-s, --source
		Run in "source mode" to scan a policy source repository that is designed to
		compile into a full system policy.  If this flag is not specified, SELint
		will assume that scanned policy files are intended to be loaded into the
		currently running system policy.

	-S, --summary
		Display a summary of issues found after running the analysis.

	--summary-only
		Only display a summary of issues found after running the analysis.
		Do not show the individual findings.  Implies -S.

	-r, --recursive
		Scan recursively and check all SELinux policy files found.

	-v, --verbose
		Enable verbose output

	-V, --version
		Show version information and exit.

CONFIGURATION

	A global configuration is specified at the install prefix supplied to
	./configure (typically /usr/local/etc).  This can be overridden on the command
	line using the -c option.

	Options specified on the command line override options from the config file.

	See the global config file for details on config file syntax.

SEVERITY LEVELS

	SELint messages are assocatied with a severity level, indicating the
	significance of the issue.  Available levels are listed below in increasing
	order of significance.

	X (extra) - Miscellaneous checks, mainly for policy introspection.
	These must be explicitly enabled with their individual identifier.
	C (convention) - A violation of common style conventions
	S (style) - Stylistic "code smell" that may be associated with unintended
	behavior
	W (warning) - Non standard policy that may result in issues such as run time
	errors or security issues
	E (error) - Important issues that may result in errors at compile time or
	run time
	F (fatal error) - Error that prevents further processing

SELINT EXCEPTIONS

	To eliminate one or more checks on one line, add a comment containing a string
	in any of the following formats:

	* "selint-disable:E-003"
	* "selint-disable: E-003"
	* "selint-disable:E-003,E-004"
	* "selint-disable: E-003, E-004"

	This is currently only supported in te and if files

OUTPUT

	SELint outputs messages in the following format:

	[filename]:[lineno]: ([SEVERITY LEVEL]): [MESSAGE] ([ISSUE ID])

	For example:

	example.te:127: (E) Interface from module not in optional_policy block (E-001)

CHECK IDS

	The following checks may be performed:

	X-001: Unused interface or template declaration
	X-002: AV rule with excluded source or target (can affect policy binary size)

	C-001: Violation of refpolicy te file ordering conventions
	C-004: Interface does not have documentation comment
	C-005: Permissions in av rule or class declaration not ordered
	C-006: Declarations in require block not ordered
	C-007: Redundant type specification instead of self keyword
	C-008: Conditional expression identifier from foreign module

	S-001: Require block used instead of interface call
	S-002: File context file labels with type not declared in module
	S-003: Unnecessary semicolon
	S-004: Template call from an interface
	S-005: Declaration in interface
	S-006: Bare module statement
	S-007: Call to gen_context omits mls component
	S-008: Unquoted gen_require block
	S-009: Permission macro suffix does not match class name
	S-010: Permission macro usage suggested

	W-001: Type or attribute referenced without explicit declaration
	W-002: Type, attribute or role used but not listed in require block in interface
	W-003: Unused type, attribute or role listed in require block
	W-004: Potentially unescaped regex character in file contexts paths
	W-005: Interface call from module not in optional_policy block
	W-006: Interface call with empty argument
	W-007: Unquoted space in argument of interface call
	W-008: Allow rule with complement or wildcard permission
	W-009: Module name does not match file name
	W-010: Call to unknown interface
	W-011: Declaration in require block not defined in own module
	W-012: Conditional expression contains unknown identifier
	W-013: Incorrect usage of audit_access permission

	E-002: Bad file context format
	E-003: Nonexistent user listed in fc file
	E-004: Nonexistent role listed in fc file
	E-005: Nonexistent type listed in fc file
	E-006: Declaration and interface with same name
	E-007: Usage of unknown permission or permission macro
	E-008: Usage of unknown class
	E-009: Empty optional or require macro block
	E-010: Usage of unknown simple m4 macro or stray word

	F-001: Policy syntax error prevents further processing
	F-002: Internal error in SELint

Commit History @HEAD