On Mon, Mar 2, 2020 at 10:46 AM Ondrej Mosnacek <omosnace@xxxxxxxxxx> wrote: > Hm... this is probably a consequence of the second patch. Types are no > longer considered a superset of an attribute containing a single type, > so the single-type rule gets removed instead of the attribute one... > But even before it picked the first rule only by chance (it was first > in order). I would say that picking a single-type rule over an > attribute rule in this case is outside of the scope of the algorithm. > Shouldn't the compiler automatically expand each attribute that has > less than 5 types in it? I recall seeing something in the code that > did this. I think this was in the CIL part of libsepol, so maybe it > applies only when compiling from CIL? secilc has -G and -X options for controlling expansion of attributes, but there aren't equivalent settings in semanage.conf to control when building modular policies. Internally it all uses the libsepol CIL support so it ought to be fixable. Looks like the default is 1 in cil_db_init() so it only happens when the attribute has no types by default?