On Fri, 2013-10-18 at 14:20 -0400, James Carter wrote: > I pushed an update of CIL to bitbucket. Here is another way to make secilc segfault: > (typeattribute canrelabeltoshadow) > > (typeattribute authunconfined) > ; Never allow relabelto operation on shadow_t files unless the source > ; is associated with canrelabeltoshadow or authunconfined > > (typeattribute notcanrelabeltoshadoworauthunconfined) > > (typeattributeset notcanrelabeltoshadoworauthunconfined > (not (or notcanrelabeltoshadoworauthunconfined authunconfined))) > > (neverallow notcanrelabeltoshadoworauthunconfined shadow_t (file > (relabelto))) > Its obviously a bug in the policy, but nonetheless it is like you said earlier: secilc should not segfault -- This message was distributed to subscribers of the selinux mailing list. If you no longer wish to subscribe, send mail to majordomo@xxxxxxxxxxxxx with the words "unsubscribe selinux" without quotes as the message.
