Treat seinfo=default name=<anything> as an error. check_app already checks for usage of name= entries in seapp_contexts with no seinfo= specification to link it back to a signer in mac_permissions.xml. However, one can avoid this error by specifying a seinfo=default which merely matches the default stanza of mac_permissions.xml without actually ensuring that it is tied to a specific certificate. Catch that error case too. Change-Id: If33cf21501e8bfee44d31c92b6341dfa583552b2 Signed-off-by: Stephen Smalley <sds@tycho.nsa.gov>

commit: f4fa7567f4e3d010a3e96c22034bf19fa05d15a7 [log] [tgz]
author: Stephen Smalley <sds@tycho.nsa.gov> Fri Apr 04 14:16:46 2014 -0400
committer: Stephen Smalley <sds@tycho.nsa.gov> Fri Apr 04 14:16:46 2014 -0400
tree: 10f3bdabe84afa7c71369c58d29af937327f4234
parent: e8c9fdac46c2ae972fd9e0f97b442d59b349e718 [diff]
diff --git a/tools/check_seapp.c b/tools/check_seapp.c
index e5108e3..39fe77e 100644
--- a/tools/check_seapp.c
+++ b/tools/check_seapp.c

@@ -487,13 +487,13 @@
 			name = tmp->data;
 			found_name = true;
 		}
-		if(!strcmp(tmp->name, "seinfo") && tmp->data) {
+		if(!strcmp(tmp->name, "seinfo") && tmp->data && strcmp(tmp->data, "default")) {
 			found_seinfo = true;
 		}
 	}
 
 	if(found_name && !found_seinfo) {
-		log_error("No seinfo specified with name=\"%s\", on line: %d\n",
+		log_error("No specific seinfo value specified with name=\"%s\", on line: %d:  insecure configuration!\n",
 				name, rm->lineno);
 		return false;
 	}
commit	f4fa7567f4e3d010a3e96c22034bf19fa05d15a7	[log] [tgz]
author	Stephen Smalley <sds@tycho.nsa.gov>	Fri Apr 04 14:16:46 2014 -0400
committer	Stephen Smalley <sds@tycho.nsa.gov>	Fri Apr 04 14:16:46 2014 -0400
tree	10f3bdabe84afa7c71369c58d29af937327f4234
parent	e8c9fdac46c2ae972fd9e0f97b442d59b349e718 [diff]