Treat seinfo=default name=<anything> as an error.

check_app already checks for usage of name= entries in seapp_contexts with no seinfo= specification to link it back to a signer in mac_permissions.xml. However, one can avoid this error by specifying a seinfo=default which merely matches the default stanza of mac_permissions.xml without actually ensuring that it is tied to a specific certificate. Catch that error case too. Change-Id: If33cf21501e8bfee44d31c92b6341dfa583552b2 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

Treat seinfo=default name=<anything> as an error.
f4fa7567 · Stephen Smalley · e8c9fdac · f4fa7567
Commit f4fa7567 authored Apr 4, 2014 by Stephen Smalley
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -487,13 +487,13 @@ static bool rule_map_validate(const rule_map *rm) {
 			name = tmp->data;
 			found_name = true;
 		}
-		if(!strcmp(tmp->name, "seinfo") && tmp->data) {
+		if(!strcmp(tmp->name, "seinfo") && tmp->data && strcmp(tmp->data, "default")) {
 			found_seinfo = true;
 		}
 	}

 	if(found_name && !found_seinfo) {
-		log_error("No seinfo specified with name=\"%s\", on line: %d\n",
+		log_error("No specific seinfo value specified with name=\"%s\", on line: %d:  insecure configuration!\n",
 				name, rm->lineno);
 		return false;
 	}