Bug 230845 - RFE: improve forbidden-selinux-command check [NEEDINFO]
RFE: improve forbidden-selinux-command check
Status: ASSIGNED
Product: Fedora
Classification: Fedora
Component: rpmlint (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Tom "spot" Callaway
Fedora Extras Quality Assurance
: FutureFeature
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2007-03-03 10:50 EST by Ville Skyttä
Modified: 2014-02-04 13:46 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed:
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
ville.skytta: needinfo? (sgrubb)


Attachments (Terms of Use)

  None (edit)
Description Ville Skyttä 2007-03-03 10:50:20 EST
As discussed in bug 230512, rpmlint's forbidden-selinux-command-* checks could
be improved to detect more cases where "knowledge" of various SELinux types is
embedded in specfiles.

Such commands which are not currently flagged include:
- semanage with -t/--type

What about these?
- semanage with -r/--range
- semanage with -s/--seuser
- semanage with -P/--prefix
- semanage with -R/--role
- semanage with -T/--trans
Comment 1 Ville Skyttä 2007-03-03 10:53:09 EST
See also the original bug for forbidden SELinux commands: bug 214605

The -I message rpmlint gives should probably also be adjusted; if a package
needs to modify the policy, restorecon alone doesn't accomplish that.
Comment 2 Jon Stanley 2008-04-23 16:28:57 EDT
Adding FutureFeature keyword to RFE's.
Comment 3 Ville Skyttä 2010-01-31 17:16:07 EST
Steve, you reported bug 214605 earlier - do you have any comments on this?
Comment 4 Steve Grubb 2010-02-01 09:09:12 EST
Yes, it would be good to catch any knowledge of policy in spec files. Policy could change at any time and the types, role, and ranges be suddenly obsolete.
Comment 5 Ville Skyttä 2010-02-02 16:25:38 EST
Thanks, Steve.  So if I understand you correctly, we'd want an error message from rpmlint if semanage is used with -t, --type, -R, --role, -r, or --range.

Are there legitimate use cases for semanage with some of its other arguments in scriptlets, or should we output the error message for every semanage use, no matter what the arguments to it are?
Comment 6 Fedora Admin XMLRPC Client 2010-12-07 16:18:50 EST
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Note You need to log in before you can comment on or make changes to this bug.