On Wed, Jul 29, 2020 at 3:06 PM bauen1 <j2468h@xxxxxxxxxxxxxx> wrote: > > Hello, > I've discovered that a constraint like > > (constrain (file (open)) > (or > (eq t1 exec_t) ; probably doesn't matter > (or > (eq t1 exec_t) ; probably doesn't matter > (or > (eq t1 exec_t) ; probably doesn't matter > (or > ; Making and the first argument to or will produce a valid policy > (eq t1 exec_t) > (and > ; content probably doesn't matter > (eq t1 exec_t) > (eq t1 exec_t) > ) > ) > ) > ) > ) > ) > > allows secilc to finish compilation but generates a policy that is "invalid", file identifies it as an SELinux Binary Policy but seinfo and similiar tools refuse to operate on it. > I can confirm that this does cause secilc to create an invalid policy binary. I will have to investigate. Thanks, Jim > For example (using secilc/test/policy.cil): > $ file policy.32 > policy.32: SE Linux policy v32 8 symbols 9 ocons > $ seinfo policy.32 -x --constrain > Invalid policy: policy.32. A binary policy must be specified. (use e.g. policy.32 or sepolicy) Source policies are not supported. > > I've tested this with secilc 3.1-1 (debian) and from the current git master (9e2b8c61bfd275d0f007a736721c557755edf4a0) > > I hope that this is enough information to reproduce the issue. > > -- > bauen1 > https://dn42.bauen1.xyz/
