SUMMARY SELint is a program to perform static code analysis on SELinux policy source files INSTALLING FROM TAR DOWNLOAD To install from a downloaded tarball, first install the following dependencies: On rpm based distros: uthash-devel libconfuse libconfuse-devel check check-devel On apt based distros: uthash-dev libconfuse-dev check Then run: ./configure make make install INSTALLING FROM GIT If you are building from a git repo checkout, you'll also need the autotools (automake, autoconf, aclocal, autoreconf) and the autoconf-archive package. Then you can run ./autogen.sh to set up autotools and then follow the steps above. USAGE selint [OPTIONS] FILE [...] OPTIONS -c CONFIGFILE, --config=CONFIGFILE Override default config with config specified on command line. See CONFIGURATION section for config file syntax. -d CHECKID, --disable=CHECKID Disable check with the given ID. -e CHECKID, --enable=CHECKID Enable check with the given ID. -E, --only-enabled Only run checks that are explicitly enabled with the --enable option. -h, --help Show help menu about command line options. -l LEVEL, --level=LEVEL Only list errors with a severity level at or greater than LEVEL. Options are C (convention), S (style), W (warning), E (error), F (fatal error). See SEVERITY LEVELS for more information. If this option is not specified, SELint will default to the level selected in the applicable config file. -s, --source Run in "source mode" to scan a policy source repository that is designed to compile into a full system policy. If this flag is not specified, SELint will assume that scanned policy files are intended to be loaded into the currently running system policy. -S, --summary Display a summary of issues found after running the analysis -r, --recursive Scan recursively and check all SELinux policy files found. -v, --verbose Enable verbose output -V, --version Show version information and exit. CONFIGURATION A global configuration is specified at the install prefix supplied to ./configure (typically /usr/local/etc). This can be overridden on the command line using the -c option. Options specified on the command line override options from the config file. See the global config file for details on config file syntax. SEVERITY LEVELS SELint messages are assocatied with a severity level, indicating the significance of the issue. Available levels are listed below in increasing order of significance. C (convention) - A violation of common style conventions S (style) - Stylistic "code smell" that may be associated with unintended behavior W (warning) - Non standard policy that may result in issues such as run time errors or security issues E (error) - Important issues that may result in errors at compile time or run time F (fatal error) - Error that prevents further processing SELINT EXCEPTIONS To eliminate a check on one line, add a comment containing a string in the following format: "selint-disable:E-003" This is currently only supported in te and if files OUTPUT SELint outputs messages in the following format: [filename]:[lineno]: ([SEVERITY LEVEL]): [MESSAGE] ([ISSUE ID]) For example: example.te:127: (E) Interface from module not in optional_policy block (E-001) CHECK IDS The following checks may be performed: C-001: Violation of refpolicy te file ordering conventions C-004: Interface does not have documentation comment S-001: Require block used instead of interface call S-002: File context file labels with type not declared in module S-003: Unnecessary semicolon W-001: Type referenced without explicit declaration W-002: Type, attribute or role used but not listed in require block in interface W-003: Unused type, attribute or role listed in require block W-004: Potentially unescaped regex character in file contexts paths W-005: Interface call from module not in optional_policy block E-002: Bad file context format E-003: Nonexistent user listed in fc file E-004: Nonexistent role listed in fc file E-005: Nonexistent type listed in fc file F-001: Policy syntax error prevents further processing F-002: Internal error in SELint