* MRE: secilc and checkpolicy backend bugs
@ 2026-05-28 14:53 Rahul Sandhu
2026-05-28 15:58 ` James Carter
0 siblings, 1 reply; 2+ messages in thread
From: Rahul Sandhu @ 2026-05-28 14:53 UTC (permalink / raw)
To: SElinux list
Hi,
I have stumbled across some bugs in secilc and the backend for emitting
kernel policy language.
secilc appears to miscount AV rules that collapse to nothing, so seinfo
errors as the policy binary emitted by the compiler has no valid AV
rules contained within.
The backend for emitting kernel policy language used by secil2conf also
seems to emit invalid allow statements when cil permissions collapse to
nothing, something which is, at present, valid in CIL.
Patches for both are to follow soon. However, I'm a little unsure about
the semantics of allow rules that collapse to nothing: is there a
usecase for them and should the compiler error or warn on them? I'm not
sure if erroring, or at least doing so by default, is a good idea given
backwards compatability concerns, but I think it may very well be
reasonable to offer this as a warning.
Please see a minimal reproducer below:
rsandhu@carbon ~ $ cat repr.cil
(user u)
(userrange u lowlow)
(userlevel u low)
(userrole u r)
(role r)
(roletype r t)
(type t)
(sensitivity s0)
(sensitivityorder (s0))
(level low (s0))
(levelrange lowlow (low low))
(context context (u r t lowlow))
(sid kernel)
(sidorder (kernel))
(sidcontext kernel context)
(class foo (bar baz))
(classorder (foo))
(allow t self (foo (not (bar baz))))
rsandhu@carbon ~ $ secilc repr.cil
rsandhu@carbon ~ $ echo $?
0
rsandhu@carbon ~ $ file policy.35
policy.35: SE Linux policy v35 8 symbols 9 ocons
rsandhu@carbon ~ $ seinfo policy.35
Invalid policy: policy.35. A binary policy must be specified. (use e.g. policy.35 or sepolicy) Source policies are not supported.
rsandhu@carbon ~ $ ~/Workspace/selinux/userspace/secilc/secil2conf repr.cil
rsandhu@carbon ~ $ checkmodule policy.conf
policy.conf:5:ERROR 'syntax error' at token '}' on line 5:
type t;
allow t self : foo { };
checkmodule: error(s) encountered while parsing configuration
rsandhu@carbon ~ $ sesearch policy.35 -A
Invalid policy: policy.35. A binary policy must be specified. (use e.g. policy.35 or sepolicy) Source policies are not supported.
--
Rahul Sandhu
^ permalink raw reply [flat|nested] 2+ messages in thread
* Re: MRE: secilc and checkpolicy backend bugs
2026-05-28 14:53 MRE: secilc and checkpolicy backend bugs Rahul Sandhu
@ 2026-05-28 15:58 ` James Carter
0 siblings, 0 replies; 2+ messages in thread
From: James Carter @ 2026-05-28 15:58 UTC (permalink / raw)
To: Rahul Sandhu; +Cc: SElinux list
On Thu, May 28, 2026 at 10:56 AM Rahul Sandhu <nvraxn@posteo.uk> wrote:
>
> Hi,
>
> I have stumbled across some bugs in secilc and the backend for emitting
> kernel policy language.
>
> secilc appears to miscount AV rules that collapse to nothing, so seinfo
> errors as the policy binary emitted by the compiler has no valid AV
> rules contained within.
>
> The backend for emitting kernel policy language used by secil2conf also
> seems to emit invalid allow statements when cil permissions collapse to
> nothing, something which is, at present, valid in CIL.
>
> Patches for both are to follow soon. However, I'm a little unsure about
> the semantics of allow rules that collapse to nothing: is there a
> usecase for them and should the compiler error or warn on them? I'm not
> sure if erroring, or at least doing so by default, is a good idea given
> backwards compatability concerns, but I think it may very well be
> reasonable to offer this as a warning.
>
It can happen when you allow an expression like in your reproducer. I
wouldn't consider it an error, but a warning seems like a good idea.
We specifically check for no permissions, so I am curious about what
is going on here.
> Please see a minimal reproducer below:
>
Thanks for the report and reproducer!
Jim
> rsandhu@carbon ~ $ cat repr.cil
> (user u)
> (userrange u lowlow)
> (userlevel u low)
> (userrole u r)
>
> (role r)
>
> (roletype r t)
>
> (type t)
>
> (sensitivity s0)
> (sensitivityorder (s0))
>
> (level low (s0))
> (levelrange lowlow (low low))
>
> (context context (u r t lowlow))
>
> (sid kernel)
> (sidorder (kernel))
> (sidcontext kernel context)
>
> (class foo (bar baz))
> (classorder (foo))
>
> (allow t self (foo (not (bar baz))))
> rsandhu@carbon ~ $ secilc repr.cil
> rsandhu@carbon ~ $ echo $?
> 0
> rsandhu@carbon ~ $ file policy.35
> policy.35: SE Linux policy v35 8 symbols 9 ocons
> rsandhu@carbon ~ $ seinfo policy.35
> Invalid policy: policy.35. A binary policy must be specified. (use e.g. policy.35 or sepolicy) Source policies are not supported.
> rsandhu@carbon ~ $ ~/Workspace/selinux/userspace/secilc/secil2conf repr.cil
> rsandhu@carbon ~ $ checkmodule policy.conf
> policy.conf:5:ERROR 'syntax error' at token '}' on line 5:
> type t;
> allow t self : foo { };
> checkmodule: error(s) encountered while parsing configuration
> rsandhu@carbon ~ $ sesearch policy.35 -A
> Invalid policy: policy.35. A binary policy must be specified. (use e.g. policy.35 or sepolicy) Source policies are not supported.
>
> --
> Rahul Sandhu
>
^ permalink raw reply [flat|nested] 2+ messages in thread
end of thread, other threads:[~2026-05-28 15:58 UTC | newest]
Thread overview: 2+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2026-05-28 14:53 MRE: secilc and checkpolicy backend bugs Rahul Sandhu
2026-05-28 15:58 ` James Carter
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox