Commit graph

2549 commits

Author SHA1 Message Date
Nicolas Iooss
89e808af1d python/sepolgen: always indent with 4 spaces
p_attribute_role_def() used tabs.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-12-19 13:29:08 +01:00
Nicolas Iooss
b7227aaec1 mcstrans: fix Python linter warnings on test scripts
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-12-19 11:37:35 +01:00
Nicolas Iooss
0ec2ed57c3 mcstrans: convert test scripts to Python 3
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-12-19 11:37:29 +01:00
Petr Lautrbach
5013d2ba97 python/sepolicy: search() also for dontaudit rules
dontaudit rules were accidentally dropped during rewrite to SETools 4 API in
97d5f6a2

Fixes:
>>> import sepolicy
>>> sepolicy.search(['dontaudit'])
[]

Signed-off-by: Petr Lautrbach <plautrba@redhat.com>
2018-12-18 13:21:06 +01:00
Nicolas Iooss
16e3953a76
python/semanage: do not show "None" levels when using a non-MLS policy
When MLS is disabled, "semanage export" shows records such as:

    login -a -s sysadm_u -r 'None' me

Prevent "semanage export" from displaying None or empty strings in level
and categories arguments by checking them in all customized() methods.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-12-15 10:02:46 +01:00
Nicolas Iooss
f39c0ac637 python/chcat: fix removing categories on users with Fedora default setup
Using Vagrant with fedora/28-cloud-base image, SELinux logins are
configured this way:

    # semanage login -l
    Login Name           SELinux User         MLS/MCS Range        Service

    __default__          unconfined_u         s0-s0:c0.c1023       *
    root                 unconfined_u         s0-s0:c0.c1023       *
    vagrant              unconfined_u         s0-s0:c0.c1023       *

Using "chcat -l +c42 vagrant" successfully adds the category to user
vagrant, but "chcat -l -- -c42 vagrant" fails to remove it.
semanage login -l returns:

    vagrant              unconfined_u         s0-s0:c0.c1023,c42   *

This issue is caused by expandCats(), which refuses to return a list of
more than 25 categories. This causes chcat_user_remove() to work with
cats=['c0.c1023,c42'] instead of cats=['c0.c102','c42'], which leads to
it not been able to remove 'c42' from the list.

Fix this issue by splitting the list of categories before calling
expandCats().

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-12-11 12:39:09 +01:00
Nicolas Iooss
69c56bd2f6 python/chcat: improve the code readability
flake8 reports many warnings for chcat:

    chcat:7:1: E265 block comment should start with '# '
    chcat:29:1: F401 'string' imported but unused
    chcat:44:1: E722 do not use bare 'except'
    chcat:104:9: F841 local variable 'e' is assigned to but never used
    chcat:144:9: F841 local variable 'e' is assigned to but never used
    chcat:186:9: F841 local variable 'e' is assigned to but never used
    chcat:234:9: F841 local variable 'e' is assigned to but never used
    chcat:262:9: F841 local variable 'e' is assigned to but never used
    chcat:281:5: F841 local variable 'e' is assigned to but never used
    chcat:385:9: E722 do not use bare 'except'
    chcat:402:1: E305 expected 2 blank lines after class or function definition, found 1
    chcat:436:5: F841 local variable 'e' is assigned to but never used

Fix all of them.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-12-11 12:39:07 +01:00
Vit Mojzis
2923d9d21e python/chcat: use check_call instead of getstatusoutput
Use "check_call" instead of "getstatusoutput" in order for special
characters and spaces in filenames to be handled correctly.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1013774

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-12-11 12:39:05 +01:00
Vit Mojzis
9cb9b18b17
python/semanage: Start exporting "ibendport" and "ibpkey" entries
Include "ibendport" and "ibpkey" entries in "semanage export".

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-12-09 16:09:08 +01:00
Vit Mojzis
73135989de
python/semanage: Include MCS/MLS range when exporting local customizations
Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-12-09 16:08:53 +01:00
Stephen Smalley
49c13dd6bc
libsepol: ibpkeys.c: fix printf format string specifiers for subnet_prefix
Use PRIx64 to print the subnet_prefix (which is a uint64_t) instead
of lx.

Fixes #108

Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-11-23 21:38:44 +01:00
Nicolas Iooss
3b0dbede9c gui: remove html_util.py
This file is not used anywhere.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-11-22 10:03:49 +01:00
Tom Gundersen
3a40d05735 dbus: remove deprecated at_console statement
As described in [0], this likely did not have the intended effect, so
simply remove it. The change in behavior is that up until this patch
it would be possible for any non-system user to potentially gain access
to selinux' dbus interface. Now this is extended to also allow any
system user.

As the comment indicates, PolicyKit is used to enforce access, so this
should be perfectly harmless.

[0]: <https://www.spinics.net/lists/linux-bluetooth/msg75267.html>

Signed-off-by: Tom Gundersen <teg@jklm.no>
CC: David Herrmann <dh.herrmann@gmail.com>
2018-11-22 10:03:30 +01:00
Nicolas Iooss
b4b0074294
libselinux: selinux_restorecon: fix printf format string specifier for uint64_t
fc_count is defined as uint64_t, which needs to be printed with PRIu64
(it is "llu" on x86 and "lu" on x86-64). Otherwise, building with
'CC="gcc -m32"' fails with:

    selinux_restorecon.c: In function ‘restorecon_sb’:
    selinux_restorecon.c:633:26: error: format ‘%lu’ expects argument of
    type ‘long unsigned int’, but argument 3 has type ‘uint64_t’ {aka
    ‘long long unsigned int’} [-Werror=format=]
         fprintf(stdout, "\r%luk", fc_count / STAR_COUNT);
                            ~~^
                            %llu

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-11-10 17:32:06 +01:00
Vit Mojzis
a3be73bea4
python: replace aliases with corresponding type names
Aliases are not used in the selinux database. When user enters a type
alias as a parameter it should be converted to the corresponding type
in order to be processed correctly further in the userspace logic.

Fixes e.g.:

\#sepolicy transition -s phpfpm_t
/* where phpfpm_t is a type alias of httpd_t */

Traceback (most recent call last):
  File "/usr/bin/sepolicy", line 691, in <module>
    args.func(args)
  File "/usr/bin/sepolicy", line 458, in transition
    mytrans = setrans(args.source, args.target)
  File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 48, in __init__
    self._process(self.source)
  File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 54, in _process
    trans = _get_trans(source)
  File "/usr/lib/python3.6/site-packages/sepolicy/transition.py", line 36, in _get_trans
    src_list = [src] + list(filter(lambda x: x['name'] == src, sepolicy.get_all_types_info()))[0]['attributes']
IndexError: list index out of range
2018-11-10 17:26:13 +01:00
James Carter
46c5207482 libsepol: mark permissive types when loading a binary policy
Nicolas Iooss reports:
When using checkpolicy to read a binary policy, permissive types are not
written in the output file. In order to reproduce this issue, a test
policy can be written from minimal.cil with the following commands:

    $ cd secilc/test/
    $ cp minimum.cil my_policy.cil
    $ echo '(typepermissive TYPE)' >> my_policy.cil
    $ secilc my_policy.cil
    $ checkpolicy -bC -o /dev/stdout policy.31

    # There is no "(typepermissive TYPE)" in checkpolicy output.

This is because TYPE_FLAGS_PERMISSIVE is added to typdatum->flags only
when loading a module, which uses the permissive flag in the type
properties. A kernel policy defines permissive types in a dedicated
bitmap, which gets loaded as p->permissive_map before the types are
loaded.

The solution is to use the permissive_map bitmap instead of relying on
the flags field of the struct type_datum when writing out CIL or
policy.conf policy from a binary.

Reported-by: Nicolas Iooss <nicolas.iooss@m4x.org>
Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-11-06 14:11:56 -05:00
Stephen Smalley
3f99b14939 libselinux: fix overly strict validation of file_contexts.bin
load_mmap and regex_load_mmap (in the !USE_PCRE2 case) were
incorrectly treating the absence of any fixed stems or study data
as an error, rejecting valid file_contexts.bin files.  Remove
the extraneous validation checks.

Test:
$ cat > file_contexts <<EOF
(/.*)?                u:object_r:system_file:s0
/lib                   u:object_r:system_dir:s0
EOF
$ sefcontext_compile file_contexts
$ selabel_lookup -b file -k /lib -f file_contexts.bin

Before:
ERROR: selabel_open - Could not obtain handle.

After:
Default context: u:object_r:system_dir:s0

Reported-by: Jiyong Park <jiyong@google.com>
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-11-05 09:31:45 -05:00
Mr Stid
c6f44ba8da
Fix snprintf truncated error
Link: https://github.com/SELinuxProject/selinux/pull/106
Signed-off-by: StidOfficial <stidofficiel@gmail.com>
2018-10-27 09:18:15 +02:00
Yuli Khodorkovskiy
95b3552451 mcstrans: remove unused getpeercon_raw() call
There is a call to getpeercon_raw() in mcstransd, but nothing is done
with the context. The purpose of process_request() is to translate a
context and we would like that to succeed even if, for some reason,
getpeercon_raw() fails.

Signed-off-by: Yuli Khodorkovskiy <yuli@crunchydata.com>
Signed-off-by: Joshua Brindle <joshua.brindle@crunchydata.com>
2018-10-26 09:53:11 -04:00
Ondrej Mosnacek
94ebccf534 libsepol: add missing ibendport port validity check
The kernel checks if the port is in the range 1-255 when loading an
ibenportcon rule. Add the same check to libsepol.

Fixes: 118c0cd103 ("libsepol: Add ibendport ocontext handling")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2018-10-25 14:06:45 -07:00
Ondrej Mosnacek
c8e5de952d libsepol: fix endianity in ibpkey range checks
We need to convert from little-endian before dong range checks on the
ibpkey port numbers, otherwise we would be checking a wrong value on
big-endian systems.

Fixes: 9fbb311276 ("libsepol: Add ibpkey ocontext handling")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2018-10-25 14:06:45 -07:00
Vit Mojzis
48aeea9ce6
python/semanage: Stop rejecting aliases in semanage commands
Resolves:

\# semanage fcontext -a -t svirt_sandbox_file_t /pokus
ValueError: Type svirt_sandbox_file_t is invalid, must be a file or device type
\# semanage fcontext -d -t svirt_sandbox_file_t /pokus
ValueError: File context for /pokus is not defined

\# seinfo -tsvirt_sandbox_file_t -x
   TypeName container_file_t
   Aliases
      svirt_sandbox_file_t
      svirt_lxc_file_t

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-10-23 20:47:55 +02:00
Vit Mojzis
4c63b8e7b6
python/sepolicy: Stop rejecting aliases in sepolicy commands
Fix CheckDomain and CheckPortType classes to properly deal with aliases.

Resolves:
   https://bugzilla.redhat.com/show_bug.cgi?id=1600009

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-10-23 20:47:48 +02:00
Vit Mojzis
448f5a9257
python/sepolicy: Fix "info" to search aliases as well
Restore previous behaviour of "sepolicy.info()".

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-10-23 20:47:30 +02:00
Stephen Smalley
d3c359ee82 README: Update the SELinux mailing list location
Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>
2018-10-16 11:08:39 -04:00
James Carter
4a400f38a6 libsepol: Add two new Xen initial SIDs
Xen uses the initial SIDs domU and domDM in its toolstack, so it makes
sense to add these to xen_sid_to_str[] in kernel_to_common.h

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-10-15 13:39:15 -04:00
James Carter
253be67d09 libsepol: Check that initial sid indexes are within the valid range
When writing CIL from a policy module or when writing CIL or policy.conf
from a kernel binary policy, check that the initial sid index is within
the valid range of the selinux_sid_to_str[] array (or xen_sid_to_str[]
array for a XEN policy). If it is not, then create a unique name
("UNKNOWN"+index) for the initial sid.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-10-15 13:39:15 -04:00
James Carter
a64649ba7b libsepol: Eliminate initial sid string definitions in module_to_cil.c
Since the initial sid strings are defined in kernel_to_common.h,
module_to_cil.c can use those and its initial sid string definitions
can be removed.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-10-15 13:39:15 -04:00
James Carter
4cc016d033 libsepol: Rename kernel_to_common.c stack functions
Want to make use of selinux_sid_to_str[] and xen_sid_to_str[] from
kernel_to_common.h in module_to_cil.c, but stack functions with the
same names exist in module_to_cil.c and kernel_to_common.c (with
the function prototypes in kernel_to_common.h).

Since the stack functions in kernel_to_common.c are less general and
only work with strings, rename those functions from stack_* to
strs_stack_*.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-10-15 13:39:15 -04:00
James Carter
9077c5c056 checkpolicy: Add option to sort ocontexts when creating a binary policy
Add an option, specified by "-S" or "--sort", to sort the ocontexts
before writing out the binary policy.

Binary policies created by semanage and secilc are always sorted, so
this option allows checkpolicy to be consistent with those. It has
not been made the default to maintain backwards compatibility for
anyone who might be depending on the unsorted behavior of checkpolicy.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-10-12 13:38:00 -04:00
James Carter
b816808e7f libsepol: Create policydb_sort_ocontexts()
Create the function called policydb_sort_ocontexts() that calls
the internal function sort_ocontexts() to sort the ocontexts of
a policydb.

The function sort_ocontexts() is already used by
sepol_kernel_policydb_to_conf() and sepol_kernel_policydb_to_cil()
when converting a binary policy to cil or policy.conf format.

Signed-off-by: James Carter <jwcart2@tycho.nsa.gov>
2018-10-12 13:38:00 -04:00
Yuli Khodorkovskiy
c7fa63150e libsemanage: improve semanage_migrate_store import failure
The selinux/semanage python module import error in semanage_migrate_store
was misleading. Before, it would report that the selinux/semanage modules
were not installed even though they were on the system.

Now the import failure is only reported if the modules are not installed.
Otherwise, a stack trace is printed for all other errors in the selinux/semanage
python modules.

Signed-off-by: Yuli Khodorkovskiy <yuli.khodorkovskiy@crunchydata.com>
2018-10-11 10:53:18 -04:00
Ondrej Mosnacek
385ef2cdc6 restorecond: Do not ignore the -f option
Since the default value of watch_file is set unconditionally *after* the
command-line arguments have been parsed, the -f option is (and has
always been) effectively ignored. Fix this by setting it before the
parsing.

Fixes: 48681bb49c ("policycoreutils: restorecond: make restorecond dbuss-able")
Signed-off-by: Ondrej Mosnacek <omosnace@redhat.com>
2018-10-11 10:53:08 -04:00
Vit Mojzis
e5f312667b
python/sepolicy: Update to work with setools-4.2.0
Change in internal setools API causes sepolicy to crash when processing
AVRules.

    File "python/sepolicy/sepolicy/__init__.py", line 277, in _setools_rule_to_dict
        if isinstance(rule, setools.policyrep.terule.AVRule):
    AttributeError: module 'setools.policyrep' has no attribute 'terule'

See https://github.com/SELinuxProject/setools/issues/8 for more details.

Stop using internal setools API:

- use AttributeError instead of setools specific exceptions
- evaluate conditional expressions using conditional.evaluate() instead
of qpol_symbol.is_enabled()

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-09-25 21:30:15 +02:00
Nick Kralevich via Selinux
2896967775 secilc: better error handling
Fix a situation where the secilc command line tool could return success
even though the compilation failed.

  $ secilc /dev/null -o /dev/null -f /dev/null
  Failure reading file: /dev/null
  $ echo $?
  0

Signed-off-by: Nick Kralevich <nnk@google.com>
2018-09-25 08:05:41 -07:00
Nick Kralevich via Selinux
0a71c5f3eb whitespace and spelling cleanup
Signed-off-by: Nick Kralevich <nnk@google.com>
2018-09-25 08:05:41 -07:00
Nick Kralevich via Selinux
854fdc1ac4 checkpolicy: remove extraneous policy build noise
Reduce noise when calling the checkpolicy command line. In Android, this
creates unnecessary build noise which we'd like to avoid.

https://en.wikipedia.org/wiki/Unix_philosophy

  Rule of Silence
  Developers should design programs so that they do not print
  unnecessary output. This rule aims to allow other programs
  and developers to pick out the information they need from a
  program's output without having to parse verbosity.

An alternative approach would be to add a -s (silent) option to these
tools, or to have the Android build system redirect stdout to /dev/null.

Signed-off-by: Nick Kralevich <nnk@google.com>
2018-09-21 12:51:36 -07:00
liwugang
98a951fa76
checkpolicy: check the result value of hashtable_search
Signed-off-by: liwugang <liwugang@xiaomi.com>
2018-09-19 20:43:39 +02:00
Nicolas Iooss
c5389c7c45
semanage: add a missing space in ibendport help
Currently, in:

    # semanage ibendport --help
    usage: semanage ibendport [-h] [-n] [-N] [-s STORE] [ --add -t TYPE
    -z IBDEV_NAME -r RANGE ( port ) | --delete -z IBDEV_NAME -r RANGE(
    port ) | --deleteall  | --extract  | --list -C | --modify -t TYPE -z
    IBDEV_NAME -r RANGE ( port ) ]

... a space is missing between "RANGE" and "( port )" in the usage of
--delete. Add it by splitting the string correctly in the usage line
definition.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-09-09 21:35:51 +02:00
Nicolas Iooss
7dd66ea49a
semanage: "semanage user" does not use -s, fix documentation
Both "semanage user --help" and "man 8 semanage-user" state that
"semanage user" accepts option -s, but this is incorrect: -s is not
needed to specify the SELinux user on the command line, contrary to
"semanage login" for example. Fix the documention.

While at it, remove many spaces from the helptext of option --roles. I
do not know where they came from, but they were reduced to a single
space when displayed anyway.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-09-09 21:35:44 +02:00
Nicolas Iooss
b573f65238
libsemanage: use previous seuser when getting the previous name
I missed this bug in commit 9ec0ea143ab5 ("libsemanage: use previous
seuser when getting the previous name").

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-09-05 22:07:37 +02:00
Vit Mojzis
343442e99b
libsemanage: Include user name in ROLE_REMOVE audit events
Use "previous" user name when no new user is available in
semanage_seuser_audit. Otherwise "id=0" is logged instead of
"acct=user_name" ("id=0" is hard coded value).

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1622045
2018-09-05 21:46:51 +02:00
Hollis Blanchard
70b9658d8c
Fix build break around __atomic_*() with GCC<4.7
The __atomic_* GCC primitives were introduced in GCC 4.7, but Red Hat
Enterprise Linux 6.x (for example) provides GCC 4.4. Tweak the current code to
use the (most conservative) __sync_synchronize() primitive provided by those
older GCC versions.

Fixes https://github.com/SELinuxProject/selinux/issues/97

(Really, no __atomic or __sync operations are needed here at all, since POSIX
4.12 "Memory Synchronization" says pthread_mutex_lock() and
pthread_mutex_unlock() "synchronize memory with respect to other threads"...)
2018-08-22 22:56:08 +02:00
Vit Mojzis
220a51b921
libsemanage: reset umask before creating directories
Restrictive umask may cause creating directories with with unintended
access mode. Reset umask before creating directories to avoid this
issue.

Fixes: https://bugzilla.redhat.com/show_bug.cgi?id=1186422

Signed-off-by: Vit Mojzis <vmojzis@redhat.com>
2018-08-22 07:46:12 +02:00
Nicolas Iooss
6f01778406
python: remove semicolon from end of lines
Python does not need to end a statement with a semicolon. Doing this
gets reported by linters such as flake8 ("E703 statement ends with a
semicolon").

Remove such semicolons in the code and enable this warning in
scripts/run-flake8.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-19 17:55:19 +02:00
Nicolas Iooss
b5e2da2654
Travis-CI: upgrade to Ubuntu 16.04 LTS Xenial Xerus
Ubuntu 14.04 uses SWIG 2.0.11 which produces Python files which contain
lines ending with a semicolon:

    __del__ = lambda self : None;

Ubuntu 16.04 uses SWIG 3.0.8, which does not put a semicolon. Moreover
Travis CI only support Python 3.7 with Ubuntu 16.04. The reason for this
is clearly stated on
https://docs.travis-ci.com/user/languages/python/#development-releases-support :

    Recent Python branches require OpenSSL 1.0.2+. As this library is
    not available for Trusty, 3.7, 3.7-dev, 3.8-dev, and nightly do not
    work (or use outdated archive).

Enabling Python 3.7 in Travis CI build matrix is therefore another
reason to upgrade .travis.yml to Ubuntu 16.04. As this new template does
not support Python 3.4 nor 3.5, and does not support PyPy2.7 yet, drop
them from the build matrix.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-19 17:55:17 +02:00
Nicolas Iooss
70c06e38be
libselinux: add a const to suppress a build warning with Python 3.7
On systems using Python 3.7, when compiling libselinux Python wrappers
(with "make install-pywrap"), the following warning is reported by gcc:

    audit2why.c: In function ‘analyze’:
    audit2why.c:364:11: warning: assignment discards ‘const’ qualifier
    from pointer target type [-Wdiscarded-qualifiers]
       permstr = _PyUnicode_AsString( strObj );
               ^

Make permstr "const char *" in order to suppress this warning.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-19 17:55:13 +02:00
Nicolas Iooss
92024b1544
libsemanage: make pywrap-test.py compatible with Python 3
This program can be useful in order to test the Python API of
libsemanage. Make it usable in Python 3 using 2to3 and some tweaks.

While at it, fix warnings reported by flake8 linter.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-19 15:18:27 +02:00
Nicolas Iooss
fea7eecee4
libsemanage: reindent pywrap-test.py with spaces
Only use spaces to indent Python code. This reduces the number of
warnings reported by Python linters.

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-19 15:18:26 +02:00
Nicolas Iooss
41764b73a7
Travis-CI: run flake8 on Python code
flake8 is a Python linter which is able to detect issues in Python code
(syntax errors, undefined variables, etc.). It has been used to find
bugs in the project. In order to prevent the introduction of new bugs
which can be detected by it, add a script which runs it and use it in
Travis-CI.

flake8 can be used to detect code which is not written according to PEP8
style guide (which forbids whitespaces in some places, enforces the use
of space-indenting, specifies how many blank lines are used between
functions, etc.). As SELinux code does not follow this style guide,
scripts/run-flake8 disables many warnings related to this when running
the linter.

In order to silence flake8 warnings, the Python code can also be
modified. However fixing every "do not use bare 'except'" in the project
needs to be done carefully and takes much time.
This is why the warnings which are disabled have been ordered in three
lists:
* The warnings which can be activated in a not-so-distant future after
  the code has been modified.
* The warnings related to PEP8 which cannot be activated without a major
  cleaning work of the codebase (for example to modify white spaces)
* The warnings which are introduced by code generated by SWIG 3.0.12,
  which would require patches in SWIG in order to be activated (there
  is right now only one such warning).

Signed-off-by: Nicolas Iooss <nicolas.iooss@m4x.org>
2018-08-18 12:00:24 +02:00