Note: This is a beta release of Red Hat Bugzilla 5.0. The data contained within is a snapshot of the live data so any changes you make will not be reflected in the production Bugzilla. Also email is disabled so feel free to test any aspect of the site that you want. File any problems you find or give feedback here.
Bug 230845 - RFE: improve forbidden-selinux-command check [NEEDINFO]
Summary: RFE: improve forbidden-selinux-command check
Alias: None
Product: Fedora
Classification: Fedora
Component: rpmlint
Version: rawhide
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Tom "spot" Callaway
QA Contact: Fedora Extras Quality Assurance
Depends On:
TreeView+ depends on / blocked
Reported: 2007-03-03 15:50 UTC by Ville Skyttä
Modified: 2014-02-04 18:46 UTC (History)
1 user (show)

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Clone Of:
Last Closed:
ville.skytta: needinfo? (sgrubb)

Attachments (Terms of Use)

Description Ville Skyttä 2007-03-03 15:50:20 UTC
As discussed in bug 230512, rpmlint's forbidden-selinux-command-* checks could
be improved to detect more cases where "knowledge" of various SELinux types is
embedded in specfiles.

Such commands which are not currently flagged include:
- semanage with -t/--type

What about these?
- semanage with -r/--range
- semanage with -s/--seuser
- semanage with -P/--prefix
- semanage with -R/--role
- semanage with -T/--trans

Comment 1 Ville Skyttä 2007-03-03 15:53:09 UTC
See also the original bug for forbidden SELinux commands: bug 214605

The -I message rpmlint gives should probably also be adjusted; if a package
needs to modify the policy, restorecon alone doesn't accomplish that.

Comment 2 Jon Stanley 2008-04-23 20:28:57 UTC
Adding FutureFeature keyword to RFE's.

Comment 3 Ville Skyttä 2010-01-31 22:16:07 UTC
Steve, you reported bug 214605 earlier - do you have any comments on this?

Comment 4 Steve Grubb 2010-02-01 14:09:12 UTC
Yes, it would be good to catch any knowledge of policy in spec files. Policy could change at any time and the types, role, and ranges be suddenly obsolete.

Comment 5 Ville Skyttä 2010-02-02 21:25:38 UTC
Thanks, Steve.  So if I understand you correctly, we'd want an error message from rpmlint if semanage is used with -t, --type, -R, --role, -r, or --range.

Are there legitimate use cases for semanage with some of its other arguments in scriptlets, or should we output the error message for every semanage use, no matter what the arguments to it are?

Comment 6 Fedora Admin XMLRPC Client 2010-12-07 21:18:50 UTC
This package has changed ownership in the Fedora Package Database.  Reassigning to the new owner of this component.

Note You need to log in before you can comment on or make changes to this bug.