[PATCH] cil_reference_guide: update specification for valid symbols

[PATCH] cil_reference_guide: update specification for valid symbols

[Rahul Sandhu]

Currently, the specification has a very limited character set of valid
symbols. This does not reflect was libsepol (and by extension secilc as
well) accepts, as can be seen both in spec_char's definition[1], which
symbol is comprised of along with digit and alpha, and with some basic
demonstration (note cil-policy.cil refers to the example CIL minimum
viable policy provided by the SELinux notebook[2] such that the example
is not polluted with SID declarations, policy caps, and other fluff):

  carbon ~ # cat <<'EOF' >mytest.cil
  (filecon /[].@=/*-_$%+-!|&^:~`#{}'<>?, any ())
  EOF
  carbon ~ # secilc mytest.cil cil-policy.cil
  carbon ~ # echo $?
  0

As can be seen above, secilc is perfectly happy to accept a variety of
characters which are not valid in the specification. Whilst the above
example does NOT use valid filecon regex, which libsemanage will later
complain about, that does not matter for the purpose of demonstration:
a symbol pertains ONLY to what is valid in the language grammar as an
unquoted string, not what is valid for the filecon statement.

It should be noted as well that this patch drops the backslash symbol,
'\'. The libsepol definition of spec_char omits it and this can also be
seen in practice:

  carbon ~ # cat <<'EOF' >mytest.cil
  (filecon /\. any ())
  EOF
  carbon ~ # secilc mytest.cil cil-policy.cil
  Invalid token '\' at line 1 of mytest.cil
  Failure adding mytest.cil

As such, no consumers should be impacted by its removal from the spec.
It also does not seem like a grave omission, so it's probably best to
just drop it from the spec.

[1] https://github.com/SELinuxProject/selinux/blob/6be1ec3792c11040fd7a3ecb1135e54418eb0d57/libsepol/cil/src/cil_lexer.l#L48
[2] https://github.com/SELinuxProject/selinux-notebook/blob/9888b84b8e76c18c6141812d7ffd9b3e2fad6f9e/src/notebook-examples/cil-policy/cil-policy.cil

Signed-off-by: Rahul Sandhu <nvraxn@posteo.uk>
---
 secilc/docs/cil_reference_guide.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/secilc/docs/cil_reference_guide.md b/secilc/docs/cil_reference_guide.md
index bcd34b68..af883232 100644
--- a/secilc/docs/cil_reference_guide.md
+++ b/secilc/docs/cil_reference_guide.md
@@ -93,7 +93,7 @@ Definitions may be repeated many times throughout the policy. Duplicates will re
 Symbol Character Set
 --------------------
 
-Symbols (any string not enclosed in double quotes) must only contain alphanumeric `[a-z A-Z] [0-9]` characters plus the following special characters: `\.=/-_$%@+!|&^:`
+Symbols (any string not enclosed in double quotes) must only contain alphanumeric `[a-z A-Z] [0-9]` characters plus the following special characters: `` [].@=/*-_$%+-!|&^:~`#{}'<>?, ``
 
 However symbols are checked for any specific character set limitations, for example:
 
-- 
2.53.0

Re: [PATCH] cil_reference_guide: update specification for valid symbols

[James Carter]

On Mon, Apr 13, 2026 at 1:43 PM Rahul Sandhu <nvraxn@posteo.uk> wrote:
>
> Currently, the specification has a very limited character set of valid
> symbols. This does not reflect was libsepol (and by extension secilc as
> well) accepts, as can be seen both in spec_char's definition[1], which
> symbol is comprised of along with digit and alpha, and with some basic
> demonstration (note cil-policy.cil refers to the example CIL minimum
> viable policy provided by the SELinux notebook[2] such that the example
> is not polluted with SID declarations, policy caps, and other fluff):
>
>   carbon ~ # cat <<'EOF' >mytest.cil
>   (filecon /[].@=/*-_$%+-!|&^:~`#{}'<>?, any ())
>   EOF
>   carbon ~ # secilc mytest.cil cil-policy.cil
>   carbon ~ # echo $?
>   0
>
> As can be seen above, secilc is perfectly happy to accept a variety of
> characters which are not valid in the specification. Whilst the above
> example does NOT use valid filecon regex, which libsemanage will later
> complain about, that does not matter for the purpose of demonstration:
> a symbol pertains ONLY to what is valid in the language grammar as an
> unquoted string, not what is valid for the filecon statement.
>
> It should be noted as well that this patch drops the backslash symbol,
> '\'. The libsepol definition of spec_char omits it and this can also be
> seen in practice:
>
>   carbon ~ # cat <<'EOF' >mytest.cil
>   (filecon /\. any ())
>   EOF
>   carbon ~ # secilc mytest.cil cil-policy.cil
>   Invalid token '\' at line 1 of mytest.cil
>   Failure adding mytest.cil
>
> As such, no consumers should be impacted by its removal from the spec.
> It also does not seem like a grave omission, so it's probably best to
> just drop it from the spec.
>
> [1] https://github.com/SELinuxProject/selinux/blob/6be1ec3792c11040fd7a3ecb1135e54418eb0d57/libsepol/cil/src/cil_lexer.l#L48
> [2] https://github.com/SELinuxProject/selinux-notebook/blob/9888b84b8e76c18c6141812d7ffd9b3e2fad6f9e/src/notebook-examples/cil-policy/cil-policy.cil
>
> Signed-off-by: Rahul Sandhu <nvraxn@posteo.uk>

Acked-by: James Carter <jwcart2@gmail.com>

> ---
>  secilc/docs/cil_reference_guide.md | 2 +-
>  1 file changed, 1 insertion(+), 1 deletion(-)
>
> diff --git a/secilc/docs/cil_reference_guide.md b/secilc/docs/cil_reference_guide.md
> index bcd34b68..af883232 100644
> --- a/secilc/docs/cil_reference_guide.md
> +++ b/secilc/docs/cil_reference_guide.md
> @@ -93,7 +93,7 @@ Definitions may be repeated many times throughout the policy. Duplicates will re
>  Symbol Character Set
>  --------------------
>
> -Symbols (any string not enclosed in double quotes) must only contain alphanumeric `[a-z A-Z] [0-9]` characters plus the following special characters: `\.=/-_$%@+!|&^:`
> +Symbols (any string not enclosed in double quotes) must only contain alphanumeric `[a-z A-Z] [0-9]` characters plus the following special characters: `` [].@=/*-_$%+-!|&^:~`#{}'<>?, ``
>
>  However symbols are checked for any specific character set limitations, for example:
>
> --
> 2.53.0
>
>

Re: [PATCH] cil_reference_guide: update specification for valid symbols

[Petr Lautrbach]

James Carter <jwcart2@gmail.com> writes:

> On Mon, Apr 13, 2026 at 1:43 PM Rahul Sandhu <nvraxn@posteo.uk> wrote:
>>
>> Currently, the specification has a very limited character set of valid
>> symbols. This does not reflect was libsepol (and by extension secilc as
>> well) accepts, as can be seen both in spec_char's definition[1], which
>> symbol is comprised of along with digit and alpha, and with some basic
>> demonstration (note cil-policy.cil refers to the example CIL minimum
>> viable policy provided by the SELinux notebook[2] such that the example
>> is not polluted with SID declarations, policy caps, and other fluff):
>>
>>   carbon ~ # cat <<'EOF' >mytest.cil
>>   (filecon /[].@=/*-_$%+-!|&^:~`#{}'<>?, any ())
>>   EOF
>>   carbon ~ # secilc mytest.cil cil-policy.cil
>>   carbon ~ # echo $?
>>   0
>>
>> As can be seen above, secilc is perfectly happy to accept a variety of
>> characters which are not valid in the specification. Whilst the above
>> example does NOT use valid filecon regex, which libsemanage will later
>> complain about, that does not matter for the purpose of demonstration:
>> a symbol pertains ONLY to what is valid in the language grammar as an
>> unquoted string, not what is valid for the filecon statement.
>>
>> It should be noted as well that this patch drops the backslash symbol,
>> '\'. The libsepol definition of spec_char omits it and this can also be
>> seen in practice:
>>
>>   carbon ~ # cat <<'EOF' >mytest.cil
>>   (filecon /\. any ())
>>   EOF
>>   carbon ~ # secilc mytest.cil cil-policy.cil
>>   Invalid token '\' at line 1 of mytest.cil
>>   Failure adding mytest.cil
>>
>> As such, no consumers should be impacted by its removal from the spec.
>> It also does not seem like a grave omission, so it's probably best to
>> just drop it from the spec.
>>
>> [1] https://github.com/SELinuxProject/selinux/blob/6be1ec3792c11040fd7a3ecb1135e54418eb0d57/libsepol/cil/src/cil_lexer.l#L48
>> [2] https://github.com/SELinuxProject/selinux-notebook/blob/9888b84b8e76c18c6141812d7ffd9b3e2fad6f9e/src/notebook-examples/cil-policy/cil-policy.cil
>>
>> Signed-off-by: Rahul Sandhu <nvraxn@posteo.uk>
>
> Acked-by: James Carter <jwcart2@gmail.com>


Merged, thanks!

>> ---
>>  secilc/docs/cil_reference_guide.md | 2 +-
>>  1 file changed, 1 insertion(+), 1 deletion(-)
>>
>> diff --git a/secilc/docs/cil_reference_guide.md b/secilc/docs/cil_reference_guide.md
>> index bcd34b68..af883232 100644
>> --- a/secilc/docs/cil_reference_guide.md
>> +++ b/secilc/docs/cil_reference_guide.md
>> @@ -93,7 +93,7 @@ Definitions may be repeated many times throughout the policy. Duplicates will re
>>  Symbol Character Set
>>  --------------------
>>
>> -Symbols (any string not enclosed in double quotes) must only contain alphanumeric `[a-z A-Z] [0-9]` characters plus the following special characters: `\.=/-_$%@+!|&^:`
>> +Symbols (any string not enclosed in double quotes) must only contain alphanumeric `[a-z A-Z] [0-9]` characters plus the following special characters: `` [].@=/*-_$%+-!|&^:~`#{}'<>?, ``
>>
>>  However symbols are checked for any specific character set limitations, for example:
>>
>> --
>> 2.53.0
>>
>>