Red Hat Bugzilla – Bug 230845
RFE: improve forbidden-selinux-command check
Last modified: 2014-02-04 13:46:37 EST
As discussed in bug 230512, rpmlint's forbidden-selinux-command-* checks could
be improved to detect more cases where "knowledge" of various SELinux types is
embedded in specfiles.
Such commands which are not currently flagged include:
- semanage with -t/--type
What about these?
- semanage with -r/--range
- semanage with -s/--seuser
- semanage with -P/--prefix
- semanage with -R/--role
- semanage with -T/--trans
See also the original bug for forbidden SELinux commands: bug 214605
The -I message rpmlint gives should probably also be adjusted; if a package
needs to modify the policy, restorecon alone doesn't accomplish that.
Adding FutureFeature keyword to RFE's.
Steve, you reported bug 214605 earlier - do you have any comments on this?
Yes, it would be good to catch any knowledge of policy in spec files. Policy could change at any time and the types, role, and ranges be suddenly obsolete.
Thanks, Steve. So if I understand you correctly, we'd want an error message from rpmlint if semanage is used with -t, --type, -R, --role, -r, or --range.
Are there legitimate use cases for semanage with some of its other arguments in scriptlets, or should we output the error message for every semanage use, no matter what the arguments to it are?
This package has changed ownership in the Fedora Package Database. Reassigning to the new owner of this component.