On Tue, Mar 16, 2021 at 9:49 PM James Carter <jwcart2@xxxxxxxxx> wrote: > > The expectation in CIL was to use user, role, or type attributes in > constraint expressions. The problem is that neither user nor role > attributes are part of the kernel binary policy, so when converting > from a kernel policy to CIL, that would require the creation of a > role or user attribute. The better solution is to just allow a list > to be used. In fact, the only thing preventing a list to be used > is a check in cil_verify_constraint_leaf_expr_syntax(). > > Remove the check and allow lists in constraint expressions. > > The following is now allowed: > (constrain (CLASS1 (PERM1)) (eq r1 (ROLE1 ROLE2 ROLE_ATTR3))) > > Signed-off-by: James Carter <jwcart2@xxxxxxxxx> For these 4 patches: Acked-by: Nicolas Iooss <nicolas.iooss@xxxxxxx> Before merging, the patch that I sent to fix an issue with some gcc optimizations (https://lore.kernel.org/selinux/20210316222313.19793-1-nicolas.iooss@xxxxxxx/) should be reviewed and applied. Nicolas > --- > libsepol/cil/src/cil_verify.c | 3 --- > 1 file changed, 3 deletions(-) > > diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c > index 6706e219..09e3daf9 100644 > --- a/libsepol/cil/src/cil_verify.c > +++ b/libsepol/cil/src/cil_verify.c > @@ -225,9 +225,6 @@ int cil_verify_constraint_leaf_expr_syntax(enum cil_flavor l_flavor, enum cil_fl > cil_log(CIL_ERR, "u3, r3, and t3 can only be used with (mls)validatetrans rules\n"); > goto exit; > } > - } else if (r_flavor == CIL_LIST) { > - cil_log(CIL_ERR, "t1, t2, r1, r2, u1, u2 cannot be used on the left side with a list on the right side\n"); > - goto exit; > } > } else { > if (r_flavor == CIL_CONS_U2) { > -- > 2.26.2 >