Received: by 2002:a25:8b91:0:0:0:0:0 with SMTP id j17csp8363058ybl; Thu, 16 Jan 2020 15:23:03 -0800 (PST) X-Google-Smtp-Source: APXvYqxnfsdLgF2bPLdR7wxFMsKwDQVnzjv8T8KkadOaTzXGGjTfhMq6t8e1fH2CySjqsAhKA5MF X-Received: by 2002:aca:3542:: with SMTP id c63mr1287515oia.135.1579216983439; Thu, 16 Jan 2020 15:23:03 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1579216983; cv=none; d=google.com; s=arc-20160816; b=Cet29gucO84SObnz75WHPbSiZI0d2TVw2ynF949JKqNCB/S2AP+UHOie0Qiafcbum4 2muga9JCtNm4NhEIdZSoytgjlxcv4ysoIST4tymCd7kRh/6In0zy4wuC5xSbbs5obUVL pB7J1STTNpYKkhcS5OYkzpwjPo0BpPgLK9yMs/7uRCTKOjOecFcRPqpex82Zf+utPeIB 9YI8pQVM59ldfijMac1LMFd4FiW7+C1L4b8adYuus1vZNlNY3cZiLC41eAvTz+pkR1O8 9tpLsDeFd9AlPwncnE/bHxWPXOgjZR/uWksCEs9OxOE9/Jr3Vpwx0gODG5QY8VQKbqPm XqNA== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding :content-language:in-reply-to:mime-version:user-agent:date :message-id:from:references:to:subject:ironport-phdr:dkim-signature; bh=q0gbOCTtzSNJjqk5JfmsAumE40bagQhvI01N6QpdKJ8=; b=niBNJ0ZhCn3Hj0hqu+AjsCFHQOvsjKrCVQbOZF8IjjYuS3sr+AziGtcHqBwlZ7nm/g XClqV09qoQ3qj1qApjwSXy4/uwBCMq6nGC9sCPMSlQkaMUZn/xnx0TMjCJ8Iv/3tiup4 5wxt+iiF4qE5P10q8waQABGcOb9cmffqC5UQDU/mdafQDEoemkwFeslw3YyOrWJdUa// bgZlgaCv68vtDhuejQoeaHm2SvOoKX4cgM8qhQA2aAEQoHSXtIvHIOs3kF3HMCio9Svm pXeKOD+1T0xYrFRP/6d9zvXJLm9hlb51d1xoW3K2RDRHQvSIvyp4yumxij43schpNUip A5Eg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@tycho.nsa.gov header.s=tycho.nsa.gov header.b=B+xu+x73; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=tycho.nsa.gov Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id j143si11890408oib.16.2020.01.16.15.23.00; Thu, 16 Jan 2020 15:23:03 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@tycho.nsa.gov header.s=tycho.nsa.gov header.b=B+xu+x73; spf=pass (google.com: best guess record for domain of selinux-refpolicy-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=selinux-refpolicy-owner@vger.kernel.org; dmarc=pass (p=QUARANTINE sp=QUARANTINE dis=NONE) header.from=tycho.nsa.gov Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1733256AbgAPUFA (ORCPT + 12 others); Thu, 16 Jan 2020 15:05:00 -0500 Received: from USAT19PA24.eemsg.mail.mil ([214.24.22.198]:5902 "EHLO USAT19PA24.eemsg.mail.mil" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1733245AbgAPUFA (ORCPT ); Thu, 16 Jan 2020 15:05:00 -0500 X-Greylist: delayed 429 seconds by postgrey-1.27 at vger.kernel.org; Thu, 16 Jan 2020 15:05:00 EST X-EEMSG-check-017: 70710881|USAT19PA24_ESA_OUT05.csd.disa.mil X-IronPort-AV: E=Sophos;i="5.70,327,1574121600"; d="scan'208";a="70710881" Received: from emsm-gh1-uea11.ncsc.mil ([214.29.60.3]) by USAT19PA24.eemsg.mail.mil with ESMTP/TLS/DHE-RSA-AES256-SHA256; 16 Jan 2020 19:51:28 +0000 DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=tycho.nsa.gov; i=@tycho.nsa.gov; q=dns/txt; s=tycho.nsa.gov; t=1579204288; x=1610740288; h=subject:to:references:from:message-id:date:mime-version: in-reply-to:content-transfer-encoding; bh=q0gbOCTtzSNJjqk5JfmsAumE40bagQhvI01N6QpdKJ8=; b=B+xu+x73IK7NujfHycQlmxol0EaBm4VqMu2Sz+l5z6kmjVbCx1dkFoth woz0joVBwghZhHClgT51ZJ1GkXX18zyCIv/TIljpFwyiClxul7YFz3JQV Z0qpPPcruEGhwsa3biFxng86wnro/j82flBQ79I8VfpjuaFba2mfAN+eO irvj9h5GaAgIjvfy/EPOp2b4jmZXVcZ8P36moaBDk5qjaycDOl08NEw1g cMYVbcIsTlBX98th16TEUJiR4PIe+BYqA/pk2PEq6ZBhyHD0hBA6P2Puu drwm4hOV5n7bJoJBGMC7qwul07exXEGER7J10X1OX6MRoxfV4iqJ6B3AR g==; X-IronPort-AV: E=Sophos;i="5.70,327,1574121600"; d="scan'208";a="37899873" IronPort-PHdr: =?us-ascii?q?9a23=3AZrdbExW4/cpfiGTFvV9k7uAGtYjV8LGtZVwlr6?= =?us-ascii?q?E/grcLSJyIuqrYZRSDtKdThVPEFb/W9+hDw7KP9fy5BSpYvN3Y6itKMMQVEU?= =?us-ascii?q?Nc0oNOx01oKfXGIHWzFOTtYS0+EZYKf35e1Fb/D3JoHt3jbUbZuHy44G1aMB?= =?us-ascii?q?z+MQ1oOra9QdaK3Iy42O+o5pLcfRhDiiajbrNuNhW2qhjautULjYd4Jas91x?= =?us-ascii?q?TErmFUd+lWym9kOEyfkhjh7cu04JJv7j5ctv08+8NOS6n2Y7g0QblFBzk6Lm?= =?us-ascii?q?4549HmuwPeRgWV/HscVWsWkhtMAwfb6RzxQ4n8vCjnuOdjwSeWJcL5Q6w6Vj?= =?us-ascii?q?Sk9KdrVQTniDwbOD4j8WHYkdJ/gaRGqx+8vRN/worUYIaINPpie67WYN0XSX?= =?us-ascii?q?ZdUstXSidMGZ23YZcRAOUdPOZYt4j9qEUIrRuiHgmnGefjxiZVinPqwaE21u?= =?us-ascii?q?IsHg/c3AwkAtkArnLaotvoP6sWSOy4wq3FwTDFYvhL2zny9ZLIfwg8r/+SU7?= =?us-ascii?q?J+ccnfx0chGAzKjFqftYPrMiiJ1ukPqWWX8/ZsWOyvhmMhtgp/oiKvxsApio?= =?us-ascii?q?TRhIIUxEzL+j9jwIYpO9GzVUl2YdyqEZRMrS6aLZd2Tt05TmF0uCc11r0GuZ?= =?us-ascii?q?mhcCgM05Qo3QTTa/OAc4iW+x/uUvuaLzl/hHJgYr2/hhCy/FCvyu39Ssm00E?= =?us-ascii?q?tKoTFfntbQsXAN0hre4dWERPtl5kqtxDmC2g/J5uxEPEw4j7TXJpE/zrIqi5?= =?us-ascii?q?Yet1nIEDXsl0XslqCWc10p+u2v6+v6fLrrvoScN4poigHmNaQuh9C/Dfw4Mg?= =?us-ascii?q?cQW2ib/vyx1KH58k3jQbVKk+Y2nrPYsJDcK8QbobW5DBFJ3Yo59xa+Dyup0N?= =?us-ascii?q?QfnXUdKlJKZAmHgJTzN1HLIfD4Ce+zg1WqkDh12/DLJqDtD5rCI3TZkLrtYK?= =?us-ascii?q?xx51BTxQYt19xT+opYCrQbL/LyXk/xusbYDhg8MwGswebmBsly2ZkEWWKTHK?= =?us-ascii?q?OUK7/SsF+U6eIvJOmAfokVuC3nJPQ/6P7uimE5lUcHfaa1xZsXdGy4HvN+Lk?= =?us-ascii?q?qEenXsn80BEWgUsQo4UuPqkkaPUSJJZ3msRKI95io7BJi6AofEQ4CnmKaB0z?= =?us-ascii?q?ujHp1KemBGDUiBEWz2eIWAWvcMbj+SI8B4njweS7ehRZch1RaqtA/717VmLv?= =?us-ascii?q?HZ+jMXtZ39zth5/e7Tmg8o9TxyEcud13uBT2ZunmMHFHcK2/U1i1FnxVqF3L?= =?us-ascii?q?I8y9BRE91e47kBBgswKITTwup3EfjuQA/ab8zPQ1GjFJHuSyo8StM33s9LeU?= =?us-ascii?q?tzA9KmjxvS9zSlDqVTlLGRApEwtKXG0DK5c91wz3fAyblklVQoWsxLNGa3rr?= =?us-ascii?q?Bw+hKVBIPTlUid0aGwevJP8jTK8TKB0mGHpl0CGFpyTq7MR2xFTlfHptT+oE?= =?us-ascii?q?XZRvmhDqpxYVgJ8tKLNqYfMo6htl5BXvq2fY2FMm8=3D?= X-IPAS-Result: =?us-ascii?q?A2CmBABjvCBe/wHyM5BlHAEBAQEBBwEBEQEEBAEBgXuBf?= =?us-ascii?q?YEYVSASKo0TiB6bNwkBAQEBAQEBAQErDAEBghOCLQKCJjgTAhABAQEEAQEBA?= =?us-ascii?q?QEFAwEBbIU3DII7KQGCegEFOFELCQ8uVwYBDAYCAQGCYz8BgnsPrgOFSoNVg?= =?us-ascii?q?TgGgTaFHA2ITUCBOA+CXT6CZAKHUQSBPwGVcEaWYHYGgj2HPYVDiSoGG5pwj?= =?us-ascii?q?lyHVoEKlDUigVgrCkFKgR6BTlAYDYgNF4NQinEjAzCNbAEB?= Received: from tarius.tycho.ncsc.mil (HELO tarius.infosec.tycho.ncsc.mil) ([144.51.242.1]) by emsm-gh1-uea11.NCSC.MIL with ESMTP; 16 Jan 2020 19:51:27 +0000 Received: from moss-lions.infosec.tycho.ncsc.mil (moss-lions [192.168.25.4]) by tarius.infosec.tycho.ncsc.mil (8.14.7/8.14.4) with ESMTP id 00GJolxu113357; Thu, 16 Jan 2020 14:50:47 -0500 Subject: Re: [Non-DoD Source] SELint To: "Burgener, Daniel" , "selinux-refpolicy@vger.kernel.org" References: <53806485-18fe-0cd8-ca16-9cdb495cdb92@tresys.com> From: jwcart2 Message-ID: Date: Thu, 16 Jan 2020 14:52:31 -0500 User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:68.0) Gecko/20100101 Thunderbird/68.2.2 MIME-Version: 1.0 In-Reply-To: <53806485-18fe-0cd8-ca16-9cdb495cdb92@tresys.com> Content-Type: text/plain; charset=windows-1252; format=flowed Content-Language: en-US Content-Transfer-Encoding: 7bit Sender: selinux-refpolicy-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: selinux-refpolicy@vger.kernel.org On 1/16/20 9:37 AM, Burgener, Daniel wrote: > Hello, > > We have created a tool a that I think people on this list may find very > useful as they do refpolicy related work. It's called SELint and does > static code analysis on refpolicy style SELinux policy. You can find > the tool on our git repo here: > > https://github.com/TresysTechnology/selint > > It currently has 13 checks for common policy issues, and we hope to add > more going forward. > > I submitted a pull request to the refpolicy github this morning that > fixes some of the issues reported by the tool, and hope to continue > submitting more over the next few days. > > -Daniel > Interesting work. Some of the tests are similar to those in a tool I created in 2018, selpoltools (https://github.com/jwcart2/selpoltools), but I did not think of doing a check for a potentially unescaped regex character. I like that your tool is written in c and that you can disable individual checks with a command line option. A couple of comments (which you are probably aware of) - You will need to teach your program about object_r at some point. - I ran it on a Refpolicy source tree from earlier in the year and it complained about system_u being a non-existent user in the fc files, even though it is defined in users. - I am a little bit confused by what the line out of order (C-001) wants. For example, I get the following two warnings ipsec.te: 118: (C): Line out of order. It is before line 124 that calls an interface located in the kernel module. (C-001) ipsec.te: 119: (C): Line out of order. It is before line 124 that is in a different section. (This node is in the section for ipsec_mgmt_t rules and the other is in the section for ipsec_t rules.) (C-001) 118 corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t) 119 allow ipsec_mgmt_t ipsec_t:fd use; . . . 124 kernel_read_kernel_sysctls(ipsec_t) 125 kernel_rw_net_sysctls(ipsec_t) 126 kernel_* ... I am guessing that it wants the ipsec_t rules before the ipsec_mgmt_t rules? I wonder why there aren't similar warnings referring to lines 125-134 which also refer to kernel interfaces. I am guessing that it recognizes line 124 as the start of the ipsec_t section? All in all, it looks promising. Jim -- James Carter National Security Agency