Bug 230845

Summary: RFE: improve forbidden-selinux-command check
Product: [Fedora] Fedora Reporter: Ville Skyttä <ville.skytta>
Component: rpmlintAssignee: Tom "spot" Callaway <spotrh>
Status: CLOSED DEFERRED QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: sgrubb
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2023-08-24 14:24:58 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Ville Skyttä 2007-03-03 15:50:20 UTC 
As discussed in bug 230512, rpmlint's forbidden-selinux-command-* checks could
be improved to detect more cases where "knowledge" of various SELinux types is
embedded in specfiles.

Such commands which are not currently flagged include:
- semanage with -t/--type

What about these?
- semanage with -r/--range
- semanage with -s/--seuser
- semanage with -P/--prefix
- semanage with -R/--role
- semanage with -T/--trans
Comment 1 Ville Skyttä 2007-03-03 15:53:09 UTC 
See also the original bug for forbidden SELinux commands: bug 214605

The -I message rpmlint gives should probably also be adjusted; if a package
needs to modify the policy, restorecon alone doesn't accomplish that.
Comment 2 Jon Stanley 2008-04-23 20:28:57 UTC 
Adding FutureFeature keyword to RFE's.
Comment 3 Ville Skyttä 2010-01-31 22:16:07 UTC 
Steve, you reported bug 214605 earlier - do you have any comments on this?
Comment 4 Steve Grubb 2010-02-01 14:09:12 UTC 
Yes, it would be good to catch any knowledge of policy in spec files. Policy could change at any time and the types, role, and ranges be suddenly obsolete.
Comment 5 Ville Skyttä 2010-02-02 21:25:38 UTC 
Thanks, Steve.  So if I understand you correctly, we'd want an error message from rpmlint if semanage is used with -t, --type, -R, --role, -r, or --range.

Are there legitimate use cases for semanage with some of its other arguments in scriptlets, or should we output the error message for every semanage use, no matter what the arguments to it are?
Comment 6 Fedora Admin XMLRPC Client 2010-12-07 21:18:50 UTC 
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.
Comment 7 Fedora Admin user for bugzilla script actions 2020-06-03 02:57:04 UTC 
This package has changed maintainer in the Fedora.
Reassigning to the new maintainer of this component.
Comment 8 Steve Grubb 2023-08-24 14:24:58 UTC 
I think we can close this.