SELint is an SEAndroid policy analysis tool. It performs a series of checks on a source policy, suggesting improvements to the policy developer.
SELint may be obtained by cloning this repository. From the command line, do:
$ git clone git@github.com:seandroid-analytics/selint.git
You may also download the latest release.
SELint requires the setools library from SEToolsv4, and the future Python module.
You can install the future module with Pip:
$ pip install --upgrade future
The setools library is distributed as part of the AOSP tree, where it is bundled as a prebuilt.
After downloading the AOSP tree in <WORKING_DIRECTORY>, the setools package will be in
<WORKING_DIRECTORY>/prebuilts/python/linux-x86/2.7.5/lib/python2.7/site-packages
To use this package, add this path to your $PYTHONPATH; for example, on Ubuntu 14.04 LTS add this to your .profile:
export PYTHONPATH="<WORKING_DIRECTORY>/prebuilts/python/linux-x86/2.7.5/lib/python2.7/site-packages:$PYTHONPATH"
You may also use the latest version of the setools library from the official git repo.
Follow the instructions to download and install the software on the SETools repo.
Before running SELint, you need to configure it to work on the desired SEAndroid policy source files. Please follow the configuration instructions.
After configuring the software, you can run it:
$ ./selint [OPTIONS]
You may obtain the full list of command line options by running:
$ ./selint -h
usage: selint [-h] [-l] [-w <PLUGIN> [<PLUGIN> ...] | -b <PLUGIN>
[<PLUGIN> ...]] [-D NAME[=VALUE] [NAME[=VALUE] ...]]
[--dumppolicyconf <FILE>] [--listpolicyfiles] [-v <LVL>]
[-c <FILE>]
SELinux source policy analysis tool.
optional arguments:
-h, --help show this help message and exit
-l, --list list the available plugins and exit.
-w <PLUGIN> [<PLUGIN> ...], --whitelist <PLUGIN> [<PLUGIN> ...]
specify the plugins to run [Default: run all].
-b <PLUGIN> [<PLUGIN> ...], --blacklist <PLUGIN> [<PLUGIN> ...]
specify the plugins not to run [Default: run all].
-D NAME[=VALUE] [NAME[=VALUE] ...], --define NAME[=VALUE] [NAME[=VALUE] ...]
Pass additional definitions to M4 when expanding the
policy. Identical to the -D option in m4.
--dumppolicyconf <FILE>
write the policy.conf to a user-specified file. If the
file already exists, IT WILL BE OVERWRITTEN.
--listpolicyfiles List all the recognized policy files and exit.
-v <LVL>, --verbosity <LVL>
Be verbose. Supported levels are 0-4, with 0 being the
default.
-c <FILE>, --config <FILE>
Source the specified config file [Default: config.py].
If not differently specified, all available plugins will be run.
Here are some example usages of SELint which you may find useful.
See all available plugins:
$ ./selint -l
Run global_macros and te_macros plugins, using a user-provided configuration file:
$ ./selint -c user-config.py -w global_macros te_macros
Run all plugins except global_macros and te_macros, using a user-provided configuration file:
$ ./selint -c user-config.py -b global_macros te_macros
List all the recognized policy files from a user-provided configuration file and exit:
$ ./selint -c user-config.py --listpolicyfiles
The version of setools from your Android tree might not support xperms rules.
If you are using setools from your Android tree and your policy contains xperms rules, setools may crash when trying to parse the policy.
To avoid this issue, you can either use setools from the GitHub repo or comment out the affected lines in your policy.
You can report bugs in the project issue tracker.
Copyright 2015 Aalto University
The SELint program and its plugins are licensed under the Apache License 2.0 (see LICENSE.APACHE).
The policysource library is licensed under the GNU Lesser General Public License (see LICENSE.LGPL).
All files distributed with this package indicate the appropriate license to use.
SELint is an open source project being developed by Filippo Bonazzi and Elena Reshetova from the Secure Systems research group (SSG) at Aalto University. The project is part of the Intel Collaborative Research Institute for Secure Computing (ICRI-SC).
You can find more information on the project site.