Erroneous W-002 in template
Closed this issue · 2 comments
I am seeing W-002 findings inside templates that I believe are erroneous. I am declaring a type $1_t and any time I use that type in the template it generates a W-002. If I change the type to $1_dummy_t the W-002 findings are no longer generated, but $1_t declaration is still valid.
I created a small dummy.if file attached in a zip.
dummy.zip
selint command:
selint -s --context=./policy ./policy/< path to dummy.if >
This isn't reproing for me.
What is supposed to happen in this case is that every potential finding it checks to see if it actually knows about this type as being a real type in the policy, and if not, it assumes its something else (such as $1_t for example). Something in your "--context=.policy" must be making selint think that $1_t is actually a real type for some reason. That's not to say that the bug is in your policy, but that the selint bug is coming from somewhere else in your policy where it's treating $1_t as a real definition. (This also explains why changing to $1_dummy_t fixes it.
Would you be able to search through your policy for $1_t and see if you can figure out if you're doing anything unusual with m4 that could be confusing selint and let me know what it might be?
I had an offline discussion with Matt, and it turns out that this is triggered by a template mis-named as being an interface. Appending this to dummy.if allows me to repro:
interface(`bad_if',`
dummy_template($1)
')
This also triggers S-004 as intended of course, but it's not great that we also report erroneous W-002 instead of focusing on the real issue.