On Sat, Jun 20, 2020 at 4:37 PM bauen1 <j2468h@xxxxxxxxxxxxxx> wrote: > > Hello, > > The below code can crash secilc reliably by using `all` as a classmap > set identifier. > This was tested against secilc / libsepol 3.0 from debian and a quick > build from git. > For some reason I haven't been able to build secilc and libsepol with > debug symbols to track down the cause of the issue myself. > > - bauen1 > > > (sensitivity s0) > (sensitivityorder (s0)) > > (level low (s0)) > (level high (s0)) > (levelrange lowhigh (low high)) > > (class file (getattr read)) > (classorder (file)) > > (user test_u) > (userrange test_u lowhigh) > (userlevel test_u high) > > (role test_r) > (userrole test_u test_r) > > (type kernel_t) > (roletype test_r kernel_t) > > (sid kernel) > (sidorder (kernel)) > > (context kernel_context (test_u test_r kernel_t lowhigh)) > (sidcontext kernel kernel_context) > > (allow kernel_t kernel_t (file (read))) > > ; Test case that works > (classmap testmap1 (test)) > (classmapping testmap1 test (file (read))) > (allow kernel_t kernel_t (testmap1 (test))) > > ; Test that breaks secilc / libsepol > (classmap testmap2 (all)) > (classmapping testmap2 all (file (read))) > (allow kernel_t kernel_t (testmap2 (all))) > CIL needs to not allow set expression operators to be defined as a map class permission. Using (class C1 (P1a P1b P1c)) and adding C1 to the classorder This also generates a segfault: (classmap CM1 (and pm1 pm2)) (classmapping CM1 and (C1 (P1a))) (classmapping CM1 pm1 (C1 (P1b))) (classmapping CM1 pm2 (C1 (P1c))) (allow t1 self (CM1 (and pm1 pm2))) Thanks for the report, Jim