From 954c0293ee0fc648767b1f128852df0846ae27c7 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Christian=20G=C3=B6ttsche?= Date: Mon, 8 Jan 2024 14:22:54 +0100 Subject: [PATCH] Add ReadMe section about expected conventions Add a section to the ReadMe mentioning the policy convention expected, which are used to improve comprehension of the policy improving accuracy of checks. --- README | 19 +++++++++++++++++++ 1 file changed, 19 insertions(+) diff --git a/README b/README index a4f92be6..88d1675b 100644 --- a/README +++ b/README @@ -201,3 +201,22 @@ CHECK IDS F-001: Policy syntax error prevents further processing F-002: Internal error in SELint + +REFERENCE POLICY CONVENTIONS + + To improve the accuracy and avoid false-positives SELint makes some assumptions about + naming conventions and formatting of the policy: + + * Type identifiers should end with the suffix '_t'. + * Role identifiers should end with the suffix '_r'. + * Names of noop interfaces for availability checks should end with the suffix '_stub'. + * Permission macros should end with the suffix '_perms'. + * Class set macros should end with the suffix '_class_set'. + * Security class declarations of userspace classes in the security_classes file should be + declared with a comment including the word 'userspace'. + * Interfaces that wrap a file based type-transition should end with the suffix '_filetrans'. + * Interfaces that transforms their arguments, e.g. associate an attribute with them, + and thus should be handled like a declaration should have one of the following common + suffixes: '_type', '_file', '_domain', '_node', '_agent', '_delivery', '_sender', + '_boolean', '_content', '_constrained', '_executable', '_exemption', '_object' + or '_mountpoint'.