From: jwcart2@tycho.nsa.gov (jwcart2) Date: Tue, 3 Apr 2018 12:14:35 -0400 Subject: [refpolicy] ANN: SELinux Policy Tools - selpoltools Message-ID: <5e068d90-6ee8-b4f7-9052-18f80357d7b5@tycho.nsa.gov> To: refpolicy@oss.tresys.com List-Id: refpolicy.oss.tresys.com The selpoltools are a collection of policy tools for SELinux. It works on Refpolicy-based policies or a collection of policy files. Right now the only useful tool is spt_lint.lua. You can find selpoltools at: https://github.com/jwcart2/selpoltools See README.md for the very simple build instructions and examples of usage. spt_lint.lua can detect problems such as: - Unused macro (interface and template) parameters - Calls that have more or less arguments then needed - Identifiers used in macros but not declared anywhere in policy - Identifiers used in macros but not required by the macro - Identifiers required in macros but not declared anywhere in policy - Identifiers required in macros but not used in the macro - Macros that will appear in policy even though their module is marked "off" in modules.conf. See docs/spt_lint--warnings.txt for more details on the warnings that are reported. I had previously created a tool to convert Refpolicy to CIL, but it required multiple patches to Refpolicy to work. selpoltools uses a different approach and only requires that "make conf" has been run (if running on a Refpolicy policy tree). I created this tool primarily to help me identify patterns in Refpolicy that have caused me problems in the past when converting to CIL. The main culprits being identifiers that are required but not used (for CIL everything used is required, but only what is used is required) and macros that appear in policy even though their module is turned off (so far only a problem with Fedora's policy). I hope to eventually build upon this work to create a tool that can generate CIL from Refpolicy. -- James Carter National Security Agency