Re: [PATCH] checkpolicy: Add --werror flag to checkmodule and checkpolicy to treat warnings as errors.

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



It looks to me like the only warnings are for:
- Conflicting expandattribute rules (which will default to false)
- A dontaudit rule that uses ~ for its permissions
- Stating that role dominance is deprecated
- Unexpected character: @ $ % & _ + = \ | " ' < > ?

It might make more sense just to make the unexpected character case to
always be an error.

Jim

On Fri, Mar 6, 2020 at 9:16 AM Daniel Burgener
<dburgener@xxxxxxxxxxxxxxxxxxx> wrote:
>
> On 3/6/20 8:57 AM, Stephen Smalley wrote:
> > On Thu, Mar 5, 2020 at 1:40 PM Daniel Burgener
> > <dburgener@xxxxxxxxxxxxxxxxxxx> wrote:
> >> When the lexer encounters an unexpected character in a policy source
> >> file, it prints a warning, discards the character and moves on. In
> >> some build environments, these characters could be a symptom of an
> >> earlier problem, such as unintended results of expansion of
> >> preprocessor macros, and the ability to have the compiler halt on
> >> such issues would be helpful for diagnosis. Signed-off-by: Daniel
> >> Burgener <Daniel.Burgener@xxxxxxxxxxxxx>
> > I'm trying to remember why this particular case (unmatched character
> > in the lexer) isn't already a fatal error. If there isn't a real
> > reason for it, we could alternatively just switch it to use yyerror()
> > in that case. Otherwise, your description suggests that you only want
> > to make that particular case a fatal error; are you sure you want to
> > treat all warnings as fatal errors?
>
> That's a bug in the description rather than the code.  That particular
> case is what caused me to want this option, but my intent was to add an
> ability to treat all warnings as errors.  I can resubmit with a better
> message if you'd like.
>
> I'm not sure why the behavior is that that particular case is a
> warning.  Git blame shows it as going back to the import from svn, so
> it's been that way for a while.  I'd think that --werror would be
> helpful either way.  If no one has a reason for this particular case to
> be a warning rather than an error, I can submit a patch for that change
> as well.
>
> -Daniel
>



[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux