Treat seinfo=default name=<anything> as an error.
check_app already checks for usage of name= entries in seapp_contexts with no seinfo= specification to link it back to a signer in mac_permissions.xml. However, one can avoid this error by specifying a seinfo=default which merely matches the default stanza of mac_permissions.xml without actually ensuring that it is tied to a specific certificate. Catch that error case too. Change-Id: If33cf21501e8bfee44d31c92b6341dfa583552b2 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
This commit is contained in:
parent
e8c9fdac46
commit
f4fa7567f4
@ -487,13 +487,13 @@ static bool rule_map_validate(const rule_map *rm) {
|
||||
name = tmp->data;
|
||||
found_name = true;
|
||||
}
|
||||
if(!strcmp(tmp->name, "seinfo") && tmp->data) {
|
||||
if(!strcmp(tmp->name, "seinfo") && tmp->data && strcmp(tmp->data, "default")) {
|
||||
found_seinfo = true;
|
||||
}
|
||||
}
|
||||
|
||||
if(found_name && !found_seinfo) {
|
||||
log_error("No seinfo specified with name=\"%s\", on line: %d\n",
|
||||
log_error("No specific seinfo value specified with name=\"%s\", on line: %d: insecure configuration!\n",
|
||||
name, rm->lineno);
|
||||
return false;
|
||||
}
|
||||
|
Loading…
Reference in New Issue
Block a user