From: Rahul Sandhu <nvraxn@posteo.uk>
To: SElinux list <selinux@vger.kernel.org>
Subject: MRE: secilc and checkpolicy backend bugs
Date: Thu, 28 May 2026 14:53:59 +0000 [thread overview]
Message-ID: <86ldd3k2kd.fsf@posteo.uk> (raw)
Hi,
I have stumbled across some bugs in secilc and the backend for emitting
kernel policy language.
secilc appears to miscount AV rules that collapse to nothing, so seinfo
errors as the policy binary emitted by the compiler has no valid AV
rules contained within.
The backend for emitting kernel policy language used by secil2conf also
seems to emit invalid allow statements when cil permissions collapse to
nothing, something which is, at present, valid in CIL.
Patches for both are to follow soon. However, I'm a little unsure about
the semantics of allow rules that collapse to nothing: is there a
usecase for them and should the compiler error or warn on them? I'm not
sure if erroring, or at least doing so by default, is a good idea given
backwards compatability concerns, but I think it may very well be
reasonable to offer this as a warning.
Please see a minimal reproducer below:
rsandhu@carbon ~ $ cat repr.cil
(user u)
(userrange u lowlow)
(userlevel u low)
(userrole u r)
(role r)
(roletype r t)
(type t)
(sensitivity s0)
(sensitivityorder (s0))
(level low (s0))
(levelrange lowlow (low low))
(context context (u r t lowlow))
(sid kernel)
(sidorder (kernel))
(sidcontext kernel context)
(class foo (bar baz))
(classorder (foo))
(allow t self (foo (not (bar baz))))
rsandhu@carbon ~ $ secilc repr.cil
rsandhu@carbon ~ $ echo $?
0
rsandhu@carbon ~ $ file policy.35
policy.35: SE Linux policy v35 8 symbols 9 ocons
rsandhu@carbon ~ $ seinfo policy.35
Invalid policy: policy.35. A binary policy must be specified. (use e.g. policy.35 or sepolicy) Source policies are not supported.
rsandhu@carbon ~ $ ~/Workspace/selinux/userspace/secilc/secil2conf repr.cil
rsandhu@carbon ~ $ checkmodule policy.conf
policy.conf:5:ERROR 'syntax error' at token '}' on line 5:
type t;
allow t self : foo { };
checkmodule: error(s) encountered while parsing configuration
rsandhu@carbon ~ $ sesearch policy.35 -A
Invalid policy: policy.35. A binary policy must be specified. (use e.g. policy.35 or sepolicy) Source policies are not supported.
--
Rahul Sandhu
next reply other threads:[~2026-05-28 14:54 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2026-05-28 14:53 Rahul Sandhu [this message]
2026-05-28 15:58 ` MRE: secilc and checkpolicy backend bugs James Carter
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=86ldd3k2kd.fsf@posteo.uk \
--to=nvraxn@posteo.uk \
--cc=selinux@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox