Re: [PATCH] cil_reference_guide: update specification for valid symbols

[Petr Lautrbach <lautrbach@redhat.com>]

James Carter <jwcart2@gmail.com> writes:

> On Mon, Apr 13, 2026 at 1:43 PM Rahul Sandhu <nvraxn@posteo.uk> wrote:
>>
>> Currently, the specification has a very limited character set of valid
>> symbols. This does not reflect was libsepol (and by extension secilc as
>> well) accepts, as can be seen both in spec_char's definition[1], which
>> symbol is comprised of along with digit and alpha, and with some basic
>> demonstration (note cil-policy.cil refers to the example CIL minimum
>> viable policy provided by the SELinux notebook[2] such that the example
>> is not polluted with SID declarations, policy caps, and other fluff):
>>
>>   carbon ~ # cat <<'EOF' >mytest.cil
>>   (filecon /[].@=/*-_$%+-!|&^:~`#{}'<>?, any ())
>>   EOF
>>   carbon ~ # secilc mytest.cil cil-policy.cil
>>   carbon ~ # echo $?
>>   0
>>
>> As can be seen above, secilc is perfectly happy to accept a variety of
>> characters which are not valid in the specification. Whilst the above
>> example does NOT use valid filecon regex, which libsemanage will later
>> complain about, that does not matter for the purpose of demonstration:
>> a symbol pertains ONLY to what is valid in the language grammar as an
>> unquoted string, not what is valid for the filecon statement.
>>
>> It should be noted as well that this patch drops the backslash symbol,
>> '\'. The libsepol definition of spec_char omits it and this can also be
>> seen in practice:
>>
>>   carbon ~ # cat <<'EOF' >mytest.cil
>>   (filecon /\. any ())
>>   EOF
>>   carbon ~ # secilc mytest.cil cil-policy.cil
>>   Invalid token '\' at line 1 of mytest.cil
>>   Failure adding mytest.cil
>>
>> As such, no consumers should be impacted by its removal from the spec.
>> It also does not seem like a grave omission, so it's probably best to
>> just drop it from the spec.
>>
>> [1] https://github.com/SELinuxProject/selinux/blob/6be1ec3792c11040fd7a3ecb1135e54418eb0d57/libsepol/cil/src/cil_lexer.l#L48
>> [2] https://github.com/SELinuxProject/selinux-notebook/blob/9888b84b8e76c18c6141812d7ffd9b3e2fad6f9e/src/notebook-examples/cil-policy/cil-policy.cil
>>
>> Signed-off-by: Rahul Sandhu <nvraxn@posteo.uk>
>
> Acked-by: James Carter <jwcart2@gmail.com>


Merged, thanks!

>> ---
>>  secilc/docs/cil_reference_guide.md | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/secilc/docs/cil_reference_guide.md b/secilc/docs/cil_reference_guide.md
>> index bcd34b68..af883232 100644
>> --- a/secilc/docs/cil_reference_guide.md
>> +++ b/secilc/docs/cil_reference_guide.md
>> @@ -93,7 +93,7 @@ Definitions may be repeated many times throughout the policy. Duplicates will re
>>  Symbol Character Set
>>  --------------------
>>
>> -Symbols (any string not enclosed in double quotes) must only contain alphanumeric `[a-z A-Z] [0-9]` characters plus the following special characters: `\.=/-_$%@+!|&^:`
>> +Symbols (any string not enclosed in double quotes) must only contain alphanumeric `[a-z A-Z] [0-9]` characters plus the following special characters: `` [].@=/*-_$%+-!|&^:~`#{}'<>?, ``
>>
>>  However symbols are checked for any specific character set limitations, for example:
>>
>> --
>> 2.53.0
>>
>>