On Wed, Mar 17, 2021 at 5:31 AM Nicolas Iooss <nicolas.iooss@xxxxxxx> wrote: > > On Tue, Mar 16, 2021 at 9:49 PM James Carter <jwcart2@xxxxxxxxx> wrote: > > > > The expectation in CIL was to use user, role, or type attributes in > > constraint expressions. The problem is that neither user nor role > > attributes are part of the kernel binary policy, so when converting > > from a kernel policy to CIL, that would require the creation of a > > role or user attribute. The better solution is to just allow a list > > to be used. In fact, the only thing preventing a list to be used > > is a check in cil_verify_constraint_leaf_expr_syntax(). > > > > Remove the check and allow lists in constraint expressions. > > > > The following is now allowed: > > (constrain (CLASS1 (PERM1)) (eq r1 (ROLE1 ROLE2 ROLE_ATTR3))) > > > > Signed-off-by: James Carter <jwcart2@xxxxxxxxx> > > For these 4 patches: > Acked-by: Nicolas Iooss <nicolas.iooss@xxxxxxx> > These four patches have been merged (the patch below was merged as well). Thanks, Jim > Before merging, the patch that I sent to fix an issue with some gcc > optimizations (https://lore.kernel.org/selinux/20210316222313.19793-1-nicolas.iooss@xxxxxxx/) > should be reviewed and applied. > > Nicolas > > > --- > > libsepol/cil/src/cil_verify.c | 3 --- > > 1 file changed, 3 deletions(-) > > > > diff --git a/libsepol/cil/src/cil_verify.c b/libsepol/cil/src/cil_verify.c > > index 6706e219..09e3daf9 100644 > > --- a/libsepol/cil/src/cil_verify.c > > +++ b/libsepol/cil/src/cil_verify.c > > @@ -225,9 +225,6 @@ int cil_verify_constraint_leaf_expr_syntax(enum cil_flavor l_flavor, enum cil_fl > > cil_log(CIL_ERR, "u3, r3, and t3 can only be used with (mls)validatetrans rules\n"); > > goto exit; > > } > > - } else if (r_flavor == CIL_LIST) { > > - cil_log(CIL_ERR, "t1, t2, r1, r2, u1, u2 cannot be used on the left side with a list on the right side\n"); > > - goto exit; > > } > > } else { > > if (r_flavor == CIL_CONS_U2) { > > -- > > 2.26.2 > > >