The expectation in CIL was to use user, role, or type attributes in constraint expressions. The problem is that neither user nor role attributes are part of the kernel binary policy, so when converting from a kernel policy to CIL, that would require the creation of a role or user attribute. The better solution is to just allow a list to be used. In fact, the only thing preventing a list to be used is a check in cil_verify_constraint_leaf_expr_syntax(). Remove the check and allow lists in constraint expressions. The following is now allowed: (constrain (CLASS1 (PERM1)) (eq r1 (ROLE1 ROLE2 ROLE_ATTR3))) Signed-off-by: James Carter <jwcart2@xxxxxxxxx> --- libsepol/cil/src/cil_verify.c | 3 --- 1 file changed, 3 deletions(-) diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c index 6706e219..09e3daf9 100644 --- a/libsepol/cil/src/cil_verify.c +++ b/libsepol/cil/src/cil_verify.c @@ -225,9 +225,6 @@ int cil_verify_constraint_leaf_expr_syntax(enum cil_flavor l_flavor, enum cil_fl cil_log(CIL_ERR, "u3, r3, and t3 can only be used with (mls)validatetrans rules\n"); goto exit; } - } else if (r_flavor == CIL_LIST) { - cil_log(CIL_ERR, "t1, t2, r1, r2, u1, u2 cannot be used on the left side with a list on the right side\n"); - goto exit; } } else { if (r_flavor == CIL_CONS_U2) { -- 2.26.2