W-002 false negatives when not in source mode
Opened this issue · 0 comments
dburgener commented
Check W-002 should alert you to the mention of a type that isn't required in this module. It checks to make sure that the thing it's alerting about is actually a really declared policy object first:
Lines 535 to 538 in 17347c4
In source mode, this works fine. But if you're just checking a single module to build against the installed policy using development headers and mention a type without including it, selint misses this, because it doesn't recognize the existing type.
Seen when running selint against this policy: https://github.com/pss-john/se-missing-type
$ ~/selint/src/selint -e W-002 *
Note: Skipping gateway.sh which is not a policy file
Note: Skipping gateway_selinux.spec which is not a policy file
Note: Check E-007 is not performed because no permission macro has been parsed.
gateway.te: 3: (S): Require block used in te file (use an interface call instead) (S-001)
gateway.te: 42: (C): Permissions in av rule not ordered (read before getattr) (C-005)
gateway.te: 44: (C): Permissions in av rule not ordered (transition before siginh) (C-005)
gateway.if: 149: (W): Expression for conditional block uses unknown identifier deny_ptrace (W-012)