Hi list, I am using in my RefPolicy based policy constraints containing role-attributes: attribute_role unpriv_roles; ... constrain ... r1 != unpriv_role This worked fine so far and the language specification [1][2] permits the usage of type attributes (by using them in the examples) and states not differences between `t1 op names` and `r1 op names`. Today I debugged a crash of seinfo(1) on generated binary policies of mine. `seinfo path/to/build/policy --constrain` segfaults at [3], when run on a build binary policy. These binary policies are generated by the RefPolicy target `make validate`, running either semodule_link(8) and semodule_expand(8) (modular build) or checkpolicy(8) (monolithic build). Running `seinfo --constrain`, using the currently loaded kernel policy, works fine and shows the expanded roles in the according constrain (e.g. `r1 != { user_r guest_r ... }`). On further testing I noticed that on Fedora 34 with libsepol 3.2 building such policies fails entirely: ... Validating policy file contexts. libsepol.validate_constraint_nodes: Invalid constraint expr libsepol.validate_class_datum: Invalid class datum libsepol.validate_datum_arrays: Invalid datum arrays libsepol.validate_policydb: Invalid policydb libsepol.sepol_set_policydb_from_file: can't read binary policy: Success Error reading policy tmp/policy.bin: Success make: *** [Rules.modular:215: validate] Error 255 This seems to be caused by [4]. >From my point of view this is a regression: Role-attributes in constraints worked prior libsepol 3.2, work in CIL and are not explicitly disallowed by the language specification. `validate_constraint_nodes()`[5] should accept attribute_role identifiers. To fix the original seinfo crash, I'd like to ask whether setools should accept role-attribute identifiers in compiled binary policies, or if semodule_expand(8) and checkpolicy(8) should expand them at build-time (currently they are expanded at load-time (load_policy(8)). Best regards, Christian Göttsche [1]: https://selinuxproject.org/page/ConstraintStatements [2]: https://github.com/SELinuxProject/selinux-notebook/blob/main/src/constraint_statements.md#constraint-statements [3]: https://github.com/SELinuxProject/setools/blob/master/setools/policyrep/role.pxi#L34 [4]: https://github.com/SELinuxProject/selinux/commit/0861c659b59cb106bad1b1d0c9f511a7140a1023 [5]: https://github.com/SELinuxProject/selinux/blob/master/libsepol/src/policydb_validate.c#L170