SELint is a program to perform static code analysis on SELinux policy source files.
To install from a downloaded tarball, first install the following dependencies:
On rpm based distros:
- uthash-devel
- libconfuse
- libconfuse-devel
- check
- check-devel
On apt based distros:
- uthash-dev
- libconfuse-dev
- check
Then run:
./configure
make
make install
If you are building from a git repo checkout, you'll also need bison, flex,
autotools (automake, autoconf, aclocal, autoreconf) and the autoconf-archive package.
Then you can run ./autogen.sh to set up autotools and then follow the steps above.
selint [OPTIONS] FILE [...]
-c CONFIGFILE, --config=CONFIGFILE
Override default config with config specified on command line. See
CONFIGURATION section for config file syntax.
--color=COLOR_OPTION
Configure color output. Options are on, off and auto (the default).
--context=CONTEXT_PATH
Also parse any .te or .if files found in CONTEXT_PATH and load symbols
associated with them for use when checking the policy files to be analyzed.
No checks are run on these files. Implies -s.
--debug-parser
Enable debug output for the internal policy parser.
Very noisy, useful to debug parsing failures.
-d CHECKID, --disable=CHECKID
Disable check with the given ID.
-e CHECKID, --enable=CHECKID
Enable check with the given ID.
-E, --only-enabled
Only run checks that are explicitly enabled with the --enable option.
-F, --fail
Exit with a non-zero value if any issue was found.
-h, --help
Show help menu about command line options.
-l LEVEL, --level=LEVEL
Only list errors with a severity level at or greater than LEVEL. Options
are C (convention), S (style), W (warning), E (error), F (fatal error). See
SEVERITY LEVELS for more information. If this option is not specified,
SELint will default to the level selected in the applicable config file.
--scan-hidden-dirs
Scan hidden directories. By default hidden directories (like `.git`) are
skipped in recursive mode.
-s, --source
Run in "source mode" to scan a policy source repository that is designed to
compile into a full system policy. If this flag is not specified, SELint
will assume that scanned policy files are intended to be loaded into the
currently running system policy.
-S, --summary
Display a summary of issues found after running the analysis.
--summary-only
Only display a summary of issues found after running the analysis.
Do not show the individual findings. Implies -S.
-r, --recursive
Scan recursively and check all SELinux policy files found.
-v, --verbose
Enable verbose output
-V, --version
Show version information and exit.
A global configuration is specified at the install prefix supplied to
./configure (typically /usr/local/etc). This can be overridden on the command
line using the -c option.
Options specified on the command line override options from the config file.
See the global config file for details on config file syntax.
SELint messages are assocatied with a severity level, indicating the significance of the issue. Available levels are listed below in increasing order of significance.
- X (extra) - Miscellaneous checks, mainly for policy introspection. These must be explicitly enabled with their individual identifier.
- C (convention) - A violation of common style conventions
- S (style) - Stylistic "code smell" that may be associated with unintended behavior
- W (warning) - Non standard policy that may result in issues such as run time errors or security issues
- E (error) - Important issues that may result in errors at compile time or run time
- F (fatal error) - Error that prevents further processing
To eliminate one or more checks on one line, add a comment containing a string in any of the following formats:
selint-disable:E-003selint-disable: E-003selint-disable:E-003,E-004selint-disable: E-003, E-004
This is currently only supported in te and if files
SELint outputs messages in the following format:
[filename]:[lineno]: ([SEVERITY LEVEL]): [MESSAGE] ([ISSUE ID])
For example:
example.te:127: (E) Interface from module not in optional_policy block (E-001)
The following checks may be performed:
Extra Checks:
- X-001: Unused interface or template declaration
- X-002: AV rule with excluded source or target (can affect policy binary size)
Convention Checks:
- C-001: Violation of refpolicy te file ordering conventions
- C-004: Interface does not have documentation comment
- C-005: Permissions in av rule or class declaration not ordered
- C-006: Declarations in require block not ordered
- C-007: Redundant type specification instead of self keyword
- C-008: Conditional expression identifier from foreign module
Style Checks:
- S-001: Require block used instead of interface call
- S-002: File context file labels with type not declared in module
- S-003: Unnecessary semicolon
- S-004: Template call from an interface
- S-005: Declaration in interface
- S-006: Bare module statement
- S-007: Call to gen_context omits mls component
- S-008: Unquoted gen_require block
- S-009: Permission macro suffix does not match class name
- S-010: Permission macro usage suggested
- S-011: File context line containing only white spaces
Warning Checks:
- W-001: Type, attribute or userspace class referenced without explicit declaration
- W-002: Type, attribute, role or userspace class used but not listed in require block in interface
- W-003: Unused type, attribute, role or userspace class listed in require block
- W-004: Potentially unescaped regex character in file contexts paths
- W-005: Interface call from module not in optional_policy block
- W-006: Interface call with empty argument
- W-007: Unquoted space in argument of interface call
- W-008: Allow rule with complement or wildcard permission
- W-009: Module name does not match file name
- W-010: Call to unknown interface
- W-011: Declaration in require block not defined in own module
- W-012: Conditional expression contains unknown identifier
- W-013: Incorrect usage of audit_access permission
Error Checks:
- E-002: Bad file context format
- E-003: Nonexistent user listed in fc file
- E-004: Nonexistent role listed in fc file
- E-005: Nonexistent type listed in fc file
- E-006: Declaration and interface with same name
- E-007: Usage of unknown permission or permission macro
- E-008: Usage of unknown class
- E-009: Empty optional or require macro block
- E-010: Usage of unknown simple m4 macro or stray word
Fatal Error Checks:
- F-001: Policy syntax error prevents further processing
- F-002: Internal error in SELint
To improve the accuracy and avoid false-positives SELint makes some assumptions about naming conventions and formatting of the policy:
- Type identifiers should end with the suffix
_t. - Role identifiers should end with the suffix
_r. - Names of noop interfaces for availability checks should end with the suffix
_stub. - Permission macros should end with the suffix
_perms. - Class set macros should end with the suffix
_class_set. - Security class declarations of userspace classes in the security_classes file should be
declared with a comment including the word
userspace. - Interfaces that wrap a file based type-transition should end with the suffix
_filetrans. - Interfaces that transforms their arguments, e.g. associate an attribute with them,
and thus should be handled like a declaration should have one of the following common
suffixes:
_type,_file,_domain,_node,_agent,_delivery,_sender,_boolean,_content,_constrained,_executable,_exemption,_objector_mountpoint.