SELinux-Refpolicy Archive on
 help / color / Atom feed
From: jwcart2 <>
To: "Burgener, Daniel" <>,
Subject: Re: [Non-DoD Source] SELint
Date: Thu, 16 Jan 2020 14:52:31 -0500
Message-ID: <> (raw)
In-Reply-To: <>

On 1/16/20 9:37 AM, Burgener, Daniel wrote:
> Hello,
> We have created a tool a that I think people on this list may find very
> useful as they do refpolicy related work.  It's called SELint and does
> static code analysis on refpolicy style SELinux policy.  You can find
> the tool on our git repo here:
> It currently has 13 checks for common policy issues, and we hope to add
> more going forward.
> I submitted a pull request to the refpolicy github this morning that
> fixes some of the issues reported by the tool, and hope to continue
> submitting more over the next few days.
> -Daniel

Interesting work. Some of the tests are similar to those in a tool I created in 
2018, selpoltools (, but I did not think 
of doing a check for a potentially unescaped regex character. I like that your 
tool is written in c and that you can disable individual checks with a command 
line option.

A couple of comments (which you are probably aware of)
- You will need to teach your program about object_r at some point.

- I ran it on a Refpolicy source tree from earlier in the year and it complained 
about system_u being a non-existent user in the fc files, even though it is 
defined in users.

- I am a little bit confused by what the line out of order (C-001) wants. For 
example, I get the following two warnings

ipsec.te:       118: (C): Line out of order.  It is before line 124 that calls 
an interface located in the kernel module. (C-001)
ipsec.te:       119: (C): Line out of order.  It is before line 124 that is in a 
different section.  (This node is in the section for ipsec_mgmt_t rules and the 
other is in the section for ipsec_t rules.) (C-001)

118 corecmd_shell_domtrans(ipsec_t, ipsec_mgmt_t)
119 allow ipsec_mgmt_t ipsec_t:fd use;
. . .
124 kernel_read_kernel_sysctls(ipsec_t)
125 kernel_rw_net_sysctls(ipsec_t)
126 kernel_* ...

I am guessing that it wants the ipsec_t rules before the ipsec_mgmt_t rules?
I wonder why there aren't similar warnings referring to lines 125-134 which also 
refer to kernel interfaces. I am guessing that it recognizes line 124 as the 
start of the ipsec_t section?

All in all, it looks promising.

James Carter <>
National Security Agency

      reply index

Thread overview: 2+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2020-01-16 14:37 SELint Burgener, Daniel
2020-01-16 19:52 ` jwcart2 [this message]

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux-Refpolicy Archive on

Archives are clonable:
	git clone --mirror selinux-refpolicy/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux-refpolicy selinux-refpolicy/ \
	public-inbox-index selinux-refpolicy

Example config snippet for mirrors

Newsgroup available over NNTP:

AGPL code for this site: git clone