Skip to content

Static code analysis of refpolicy style SELinux policy

License

Notifications You must be signed in to change notification settings

cgzones/selint

 
 

Repository files navigation

SUMMARY

	SELint is a program to perform static code analysis on SELinux policy
	source files


INSTALLING FROM TAR DOWNLOAD

	To install from a downloaded tarball, first install the following dependencies:

	On rpm based distros:
		uthash-devel
		libconfuse
		libconfuse-devel
		check
		check-devel

	On apt based distros:
		uthash-dev
		libconfuse-dev
		check

	Then run:

	./configure
	make
	make install

INSTALLING FROM GIT

	If you are building from a git repo checkout, you'll also need bison, flex,
	autotools (automake, autoconf, aclocal, autoreconf) and the autoconf-archive package.
	Then you can run ./autogen.sh to set up autotools and then follow the steps above.

USAGE

	selint [OPTIONS] FILE [...]

OPTIONS

	-c CONFIGFILE, --config=CONFIGFILE
		Override default config with config specified on command line.  See
		CONFIGURATION section for config file syntax.

	--color=COLOR_OPTION
		Configure color output.  Options are on, off and auto (the default).

	--context=CONTEXT_PATH
		Also parse any .te or .if files found in CONTEXT_PATH and load symbols
		associated with them for use when checking the policy files to be analyzed.
		No checks are run on these files. Implies -s.

	--debug-parser
		Enable debug output for the internal policy parser.
		Very noisy, useful to debug parsing failures.

	-d CHECKID, --disable=CHECKID
		Disable check with the given ID.

	-e CHECKID, --enable=CHECKID
		Enable check with the given ID.

	-E, --only-enabled
		Only run checks that are explicitly enabled with the --enable option.

	-F, --fail
		Exit with a non-zero value if any issue was found.

	-h, --help
		Show help menu about command line options.

	-l LEVEL, --level=LEVEL
		Only list errors with a severity level at or greater than LEVEL.  Options
		are C (convention), S (style), W (warning), E (error), F (fatal error).  See
		SEVERITY LEVELS for more information.  If this option is not specified,
		SELint will default to the level selected in the applicable config file.

	--scan-hidden-dirs
		Scan hidden directories.  By default hidden directories (like '.git') are
		skipped in recursive mode.

	-s, --source
		Run in "source mode" to scan a policy source repository that is designed to
		compile into a full system policy.  If this flag is not specified, SELint
		will assume that scanned policy files are intended to be loaded into the
		currently running system policy.

	-S, --summary
		Display a summary of issues found after running the analysis.

	--summary-only
		Only display a summary of issues found after running the analysis.
		Do not show the individual findings.  Implies -S.

	-r, --recursive
		Scan recursively and check all SELinux policy files found.

	-v, --verbose
		Enable verbose output

	-V, --version
		Show version information and exit.

CONFIGURATION

	A global configuration is specified at the install prefix supplied to
	./configure (typically /usr/local/etc).  This can be overridden on the command
	line using the -c option.

	Options specified on the command line override options from the config file.

	See the global config file for details on config file syntax.

SEVERITY LEVELS

	SELint messages are assocatied with a severity level, indicating the
	significance of the issue.  Available levels are listed below in increasing
	order of significance.

	X (extra) - Miscellaneous checks, mainly for policy introspection.
	These must be explicitly enabled with their individual identifier.
	C (convention) - A violation of common style conventions
	S (style) - Stylistic "code smell" that may be associated with unintended
	behavior
	W (warning) - Non standard policy that may result in issues such as run time
	errors or security issues
	E (error) - Important issues that may result in errors at compile time or
	run time
	F (fatal error) - Error that prevents further processing

SELINT EXCEPTIONS

	To eliminate one or more checks on one line, add a comment containing a string
	in any of the following formats:

	* "selint-disable:E-003"
	* "selint-disable: E-003"
	* "selint-disable:E-003,E-004"
	* "selint-disable: E-003, E-004"

	This is currently only supported in te and if files

OUTPUT

	SELint outputs messages in the following format:

	[filename]:[lineno]: ([SEVERITY LEVEL]): [MESSAGE] ([ISSUE ID])

	For example:

	example.te:127: (E) Interface from module not in optional_policy block (E-001)

CHECK IDS

	The following checks may be performed:

	X-001: Unused interface or template declaration
	X-002: AV rule with excluded source or target (can affect policy binary size)

	C-001: Violation of refpolicy te file ordering conventions
	C-004: Interface does not have documentation comment
	C-005: Permissions in av rule or class declaration not ordered
	C-006: Declarations in require block not ordered
	C-007: Redundant type specification instead of self keyword
	C-008: Conditional expression identifier from foreign module

	S-001: Require block used instead of interface call
	S-002: File context file labels with type not declared in module
	S-003: Unnecessary semicolon
	S-004: Template call from an interface
	S-005: Declaration in interface
	S-006: Bare module statement
	S-007: Call to gen_context omits mls component
	S-008: Unquoted gen_require block
	S-009: Permission macro suffix does not match class name
	S-010: Permission macro usage suggested

	W-001: Type or attribute referenced without explicit declaration
	W-002: Type, attribute or role used but not listed in require block in interface
	W-003: Unused type, attribute or role listed in require block
	W-004: Potentially unescaped regex character in file contexts paths
	W-005: Interface call from module not in optional_policy block
	W-006: Interface call with empty argument
	W-007: Unquoted space in argument of interface call
	W-008: Allow rule with complement or wildcard permission
	W-009: Module name does not match file name
	W-010: Call to unknown interface
	W-011: Declaration in require block not defined in own module
	W-012: Conditional expression contains unknown identifier
	W-013: Incorrect usage of audit_access permission

	E-002: Bad file context format
	E-003: Nonexistent user listed in fc file
	E-004: Nonexistent role listed in fc file
	E-005: Nonexistent type listed in fc file
	E-006: Declaration and interface with same name
	E-007: Usage of unknown permission or permission macro
	E-008: Usage of unknown class
	E-009: Empty optional or require macro block
	E-010: Usage of unknown simple m4 macro or stray word

	F-001: Policy syntax error prevents further processing
	F-002: Internal error in SELint

About

Static code analysis of refpolicy style SELinux policy

Resources

License

Stars

Watchers

Forks

Packages

No packages published

Languages

  • C 86.5%
  • Yacc 5.4%
  • Makefile 3.8%
  • Shell 2.5%
  • Lex 1.3%
  • M4 0.5%