On Wed, Jul 29, 2020 at 5:02 PM James Carter <jwcart2@xxxxxxxxx> wrote: > > On Wed, Jul 29, 2020 at 3:06 PM bauen1 <j2468h@xxxxxxxxxxxxxx> wrote: > > > > Hello, > > I've discovered that a constraint like > > > > (constrain (file (open)) > > (or > > (eq t1 exec_t) ; probably doesn't matter > > (or > > (eq t1 exec_t) ; probably doesn't matter > > (or > > (eq t1 exec_t) ; probably doesn't matter > > (or > > ; Making and the first argument to or will produce a valid policy > > (eq t1 exec_t) > > (and > > ; content probably doesn't matter > > (eq t1 exec_t) > > (eq t1 exec_t) > > ) > > ) > > ) > > ) > > ) > > ) > > > > allows secilc to finish compilation but generates a policy that is "invalid", file identifies it as an SELinux Binary Policy but seinfo and similiar tools refuse to operate on it. > > > > I can confirm that this does cause secilc to create an invalid policy binary. > > I will have to investigate. So the problem is that this constraint expression exceeds the depth allowed by libsepol. An error should be given by CIL when the depth reaches 5, but CIL was not correctly keeping track of the depth. A patch will be sent shortly. Thanks for reporting this. Jim > Thanks, > Jim > > > For example (using secilc/test/policy.cil): > > $ file policy.32 > > policy.32: SE Linux policy v32 8 symbols 9 ocons > > $ seinfo policy.32 -x --constrain > > Invalid policy: policy.32. A binary policy must be specified. (use e.g. policy.32 or sepolicy) Source policies are not supported. > > > > I've tested this with secilc 3.1-1 (debian) and from the current git master (9e2b8c61bfd275d0f007a736721c557755edf4a0) > > > > I hope that this is enough information to reproduce the issue. > > > > -- > > bauen1 > > https://dn42.bauen1.xyz/
