Suggest to change template to interface if appropriate #205
Comments
|
I had thought we already had this, but it looks like we only have the other way around (S-004 and S-005 show definitions or template calls in interfaces). One thing to consider here is this: https://github.com/SELinuxProject/refpolicy/blob/0c5a622fea7ebe660465da6296460b7e7b1a9d08/policy/modules/services/xserver.if#L310 This is a template rather than an interface because it uses a prefix, but it doesn't declare any types. Refpolicy does selint-disable:S-004 in an interface that calls it to accomodate. I believe I spoke to @pebenito about this back when we were implementing selint in refpolicy and my recollection is that he said that in his view the definition of template was the use of prefixes rather than types, attributes etc in arguments. It might be preferable if we do a check as you suggest to implement it based on the prefix definition rather than the declaration definition. |
|
The main differences between interfaces and templates is interfaces cannot:
|
|
With this classification, was the commit SELinuxProject/refpolicy@bf6cc10 correct, cause |
|
You're correct, I missed that. I reverted the change. |
cgzones
added a commit
to cgzones/selint
that referenced
this issue
May 10, 2021
Interfaces in the refpolicy should not: - declare anything (no side effects) - use prefix parameters Add one check to find interfaces that should be declared as a template and one check to find templates that can be declared as an interface. Refpolicy findings: qemu.if: 112: (S): Template qemu_role might be declared as an interface (S-012) wm.if: 142: (S): Interface wm_dbus_chat should be a template, due to parameter 0 (S-011) wm.if: 250: (S): Interface wm_write_pipes should be a template, due to parameter 0 (S-011) gnome.if: 673: (S): Interface gnome_dbus_chat_gkeyringd should be a template, due to parameter 0 (S-011) gnome.if: 741: (S): Interface gnome_stream_connect_gkeyringd should be a template, due to parameter 0 (S-011) userdomain.if: 1431: (S): Template userdom_security_admin_template might be declared as an interface (S-012) kismet.if: 18: (S): Template kismet_role might be declared as an interface (S-012) dbus.if: 193: (S): Interface dbus_connect_spec_session_bus should be a template, due to parameter 0 (S-011) dbus.if: 245: (S): Interface dbus_spec_session_bus_client should be a template, due to parameter 0 (S-011) dbus.if: 298: (S): Interface dbus_send_spec_session_bus should be a template, due to parameter 0 (S-011) dbus.if: 436: (S): Interface dbus_spec_session_domain should be a template, due to parameter 0 (S-011) rlogin.if: 32: (S): Template rlogin_read_home_content might be declared as an interface (S-012) git.if: 18: (S): Template git_role might be declared as an interface (S-012) Found the following issue counts: S-011: 8 S-012: 5 Closes: SELinuxProject#205
cgzones
added a commit
to cgzones/selint
that referenced
this issue
May 10, 2021
Interfaces in the refpolicy should not: - declare anything (no side effects) - use prefix parameters Add one check to find interfaces that should be declared as a template and one check to find templates that can be declared as an interface. Refpolicy findings: qemu.if: 112: (S): Template qemu_role might be declared as an interface (S-012) wm.if: 142: (S): Interface wm_dbus_chat should be a template, due to parameter 0 (S-011) wm.if: 250: (S): Interface wm_write_pipes should be a template, due to parameter 0 (S-011) gnome.if: 673: (S): Interface gnome_dbus_chat_gkeyringd should be a template, due to parameter 0 (S-011) gnome.if: 741: (S): Interface gnome_stream_connect_gkeyringd should be a template, due to parameter 0 (S-011) userdomain.if: 1431: (S): Template userdom_security_admin_template might be declared as an interface (S-012) kismet.if: 18: (S): Template kismet_role might be declared as an interface (S-012) dbus.if: 193: (S): Interface dbus_connect_spec_session_bus should be a template, due to parameter 0 (S-011) dbus.if: 245: (S): Interface dbus_spec_session_bus_client should be a template, due to parameter 0 (S-011) dbus.if: 298: (S): Interface dbus_send_spec_session_bus should be a template, due to parameter 0 (S-011) dbus.if: 436: (S): Interface dbus_spec_session_domain should be a template, due to parameter 0 (S-011) rlogin.if: 32: (S): Template rlogin_read_home_content might be declared as an interface (S-012) git.if: 18: (S): Template git_role might be declared as an interface (S-012) Found the following issue counts: S-011: 8 S-012: 5 Closes: SELinuxProject#205
cgzones
added a commit
to cgzones/selint
that referenced
this issue
May 10, 2021
Interfaces in the refpolicy should not: - declare anything (no side effects) - use prefix parameters Add one check to find interfaces that should be declared as a template and one check to find templates that can be declared as an interface. Refpolicy findings: qemu.if: 112: (S): Template qemu_role might be declared as an interface (S-012) wm.if: 142: (S): Interface wm_dbus_chat should be a template, due to parameter 0 (S-011) wm.if: 250: (S): Interface wm_write_pipes should be a template, due to parameter 0 (S-011) gnome.if: 673: (S): Interface gnome_dbus_chat_gkeyringd should be a template, due to parameter 0 (S-011) gnome.if: 741: (S): Interface gnome_stream_connect_gkeyringd should be a template, due to parameter 0 (S-011) userdomain.if: 1431: (S): Template userdom_security_admin_template might be declared as an interface (S-012) kismet.if: 18: (S): Template kismet_role might be declared as an interface (S-012) dbus.if: 193: (S): Interface dbus_connect_spec_session_bus should be a template, due to parameter 0 (S-011) dbus.if: 245: (S): Interface dbus_spec_session_bus_client should be a template, due to parameter 0 (S-011) dbus.if: 298: (S): Interface dbus_send_spec_session_bus should be a template, due to parameter 0 (S-011) dbus.if: 436: (S): Interface dbus_spec_session_domain should be a template, due to parameter 0 (S-011) rlogin.if: 32: (S): Template rlogin_read_home_content might be declared as an interface (S-012) git.if: 18: (S): Template git_role might be declared as an interface (S-012) Found the following issue counts: S-011: 8 S-012: 5 Closes: SELinuxProject#205
cgzones
added a commit
to cgzones/refpolicy
that referenced
this issue
May 13, 2021
Following the guideline of interfaces not allowed to declare anything and not use prefix parameters, declare interfaces doing so as templates. Also declare templates not using those features and not calling templates themselves as interfaces. These changes originate from the discussion in SELinuxProject/selint#205 and are found by new proposed SELint checks at SELinuxProject/selint#207. Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/refpolicy
that referenced
this issue
May 13, 2021
Following the guideline of interfaces not allowed to declare anything and not use prefix parameters, declare interfaces doing so as templates. Also declare templates not using those features and not calling templates themselves as interfaces. These changes originate from the discussion in SELinuxProject/selint#205 and are found by new proposed SELint checks at SELinuxProject/selint#206. Signed-off-by: Christian Göttsche <[email protected]>
cgzones
added a commit
to cgzones/selint
that referenced
this issue
May 27, 2021
Interfaces in the refpolicy should not: - declare anything (no side effects) - use prefix parameters Add one check to find interfaces that should be declared as a template and one check to find templates that can be declared as an interface. Refpolicy findings: qemu.if: 112: (S): Template qemu_role might be declared as an interface (S-012) wm.if: 142: (S): Interface wm_dbus_chat should be a template, due to parameter 0 (S-011) wm.if: 250: (S): Interface wm_write_pipes should be a template, due to parameter 0 (S-011) gnome.if: 673: (S): Interface gnome_dbus_chat_gkeyringd should be a template, due to parameter 0 (S-011) gnome.if: 741: (S): Interface gnome_stream_connect_gkeyringd should be a template, due to parameter 0 (S-011) userdomain.if: 1431: (S): Template userdom_security_admin_template might be declared as an interface (S-012) kismet.if: 18: (S): Template kismet_role might be declared as an interface (S-012) dbus.if: 193: (S): Interface dbus_connect_spec_session_bus should be a template, due to parameter 0 (S-011) dbus.if: 245: (S): Interface dbus_spec_session_bus_client should be a template, due to parameter 0 (S-011) dbus.if: 298: (S): Interface dbus_send_spec_session_bus should be a template, due to parameter 0 (S-011) dbus.if: 436: (S): Interface dbus_spec_session_domain should be a template, due to parameter 0 (S-011) rlogin.if: 32: (S): Template rlogin_read_home_content might be declared as an interface (S-012) git.if: 18: (S): Template git_role might be declared as an interface (S-012) Found the following issue counts: S-011: 8 S-012: 5 Closes: SELinuxProject#205
0xC0ncord
pushed a commit
to 0xC0ncord/hardened-refpolicy
that referenced
this issue
Jul 20, 2021
Following the guideline of interfaces not allowed to declare anything and not use prefix parameters, declare interfaces doing so as templates. Also declare templates not using those features and not calling templates themselves as interfaces. These changes originate from the discussion in SELinuxProject/selint#205 and are found by new proposed SELint checks at SELinuxProject/selint#206. Signed-off-by: Christian Göttsche <[email protected]>
0xC0ncord
pushed a commit
to 0xC0ncord/hardened-refpolicy
that referenced
this issue
Jul 21, 2021
Following the guideline of interfaces not allowed to declare anything and not use prefix parameters, declare interfaces doing so as templates. Also declare templates not using those features and not calling templates themselves as interfaces. These changes originate from the discussion in SELinuxProject/selint#205 and are found by new proposed SELint checks at SELinuxProject/selint#206. Signed-off-by: Christian Göttsche <[email protected]>
perfinion
pushed a commit
to perfinion/hardened-refpolicy
that referenced
this issue
Sep 5, 2021
Following the guideline of interfaces not allowed to declare anything and not use prefix parameters, declare interfaces doing so as templates. Also declare templates not using those features and not calling templates themselves as interfaces. These changes originate from the discussion in SELinuxProject/selint#205 and are found by new proposed SELint checks at SELinuxProject/selint#206. Signed-off-by: Christian Göttsche <[email protected]> Signed-off-by: Jason Zaman <[email protected]>
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
If a
templatedoes not define anything (type,attribute, ...) and does not call atemplate, suggest to change to aninterface.Find SELinuxProject/refpolicy@bf6cc10
The text was updated successfully, but these errors were encountered: