From ab5ed7f3d68071e62900e5dc6fe54f4d092ca359 Mon Sep 17 00:00:00 2001 From: Adrian Szyndela Date: Fri, 23 Aug 2019 11:37:51 +0200 Subject: [PATCH] policychecker: allow i-dont-need-any-name configs This allows configurations that do not concern any owned names, e.g. configurations for specifying who can receive some specific signals. Without this change, the checking rules ensure that every policy configuration file contains at least one and one policy rule. This was introduced when there was "global default allow" policy in some uses. Nowadays, such policies are probably long gone. Anyway, there are still other checking rules present, which complain for not having proper rules in default context, if rules for a name are present in the configuration file. Change-Id: Ic4eeee3ff5c8524fda58d17874fe6fdb37fb4d1c --- policychecker/rules.xsl | 7 ------- 1 file changed, 7 deletions(-) diff --git a/policychecker/rules.xsl b/policychecker/rules.xsl index 0d13fb9..188a572 100644 --- a/policychecker/rules.xsl +++ b/policychecker/rules.xsl @@ -96,16 +96,9 @@ - You must provide a policy context-default section. - - You must define a 'deny own="yourname"' or 'deny own_prefix="yourname"' rule in context-default policy to avoid depending on a global 'deny own="*"'. - You must define a 'deny send_destination="yourname"' or 'deny send_destination_prefix="yourname"' rule in context-default policy to avoid depending on a global deny. - - - -- 2.34.1