From f4fa7567f4e3d010a3e96c22034bf19fa05d15a7 Mon Sep 17 00:00:00 2001
From: Stephen Smalley <sds@tycho.nsa.gov>
Date: Fri, 4 Apr 2014 14:16:46 -0400
Subject: [PATCH] Treat seinfo=default name=<anything> as an error.

check_app already checks for usage of name= entries
in seapp_contexts with no seinfo= specification to
link it back to a signer in mac_permissions.xml.
However, one can avoid this error by specifying
a seinfo=default which merely matches the default
stanza of mac_permissions.xml without actually ensuring
that it is tied to a specific certificate.  Catch
that error case too.

Change-Id: If33cf21501e8bfee44d31c92b6341dfa583552b2
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
---
 tools/check_seapp.c | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index e5108e3f7..39fe77e18 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c
@@ -487,13 +487,13 @@ static bool rule_map_validate(const rule_map *rm) {
 			name = tmp->data;
 			found_name = true;
 		}
-		if(!strcmp(tmp->name, "seinfo") && tmp->data) {
+		if(!strcmp(tmp->name, "seinfo") && tmp->data && strcmp(tmp->data, "default")) {
 			found_seinfo = true;
 		}
 	}
 
 	if(found_name && !found_seinfo) {
-		log_error("No seinfo specified with name=\"%s\", on line: %d\n",
+		log_error("No specific seinfo value specified with name=\"%s\", on line: %d:  insecure configuration!\n",
 				name, rm->lineno);
 		return false;
 	}
-- 
GitLab