The following policy will cause a segfault: (class CLASS (PERM)) (class C (P1 P2 P3)) (classorder (CLASS C)) (sid SID) (sidorder (SID)) (user USER) (role ROLE) (type TYPE) (category CAT) (categoryorder (CAT)) (sensitivity SENS) (sensitivityorder (SENS)) (sensitivitycategory SENS (CAT)) (allow TYPE self (CLASS (PERM))) (roletype ROLE TYPE) (userrole USER ROLE) (userlevel USER (SENS)) (userrange USER ((SENS)(SENS (CAT)))) (sidcontext SID (USER ROLE TYPE ((SENS)(SENS)))) (classmap CM (PM1 PM2 PM3)) (classmapping CM PM1 (C (P1))) (classmapping CM PM2 (C (P2))) (classmapping CM PM3 (C (P3))) (allow TYPE self (CM (and (all) (not PM2)))) The problem is that, while permission expressions are allowed for normal classes, map classes are expected to only have permission lists and no check is done to verify that only a permission list is being used. When the above policy is parsed, the "and" and "all" are seen as expression operators, but when the map permissions are converted to normal class and permissions, the permission expression is assumed to be a list of datums and since the operators are not datums a segfault is the result. There is no reason to limit map classes to only using a list of permissions and, in fact, it would be better to be able to use them in the same way normal classes are used. Allow permissions expressions to be used for map classes by first evaluating the permission expression and then converting the resulting list to normal classes and permissions. Signed-off-by: James Carter <jwcart2@xxxxxxxxx> --- libsepol/cil/src/cil_post.c | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/libsepol/cil/src/cil_post.c b/libsepol/cil/src/cil_post.c index d2ecbd43..6990fc07 100644 --- a/libsepol/cil/src/cil_post.c +++ b/libsepol/cil/src/cil_post.c @@ -2130,6 +2130,10 @@ static int __evaluate_classperms_list(struct cil_list *classperms, struct cil_db } } else { /* MAP */ struct cil_list_item *i = NULL; + rc = __evaluate_classperms(cp, db); + if (rc != SEPOL_OK) { + goto exit; + } cil_list_for_each(i, cp->perms) { struct cil_perm *cmp = i->data; rc = __evaluate_classperms_list(cmp->classperms, db); -- 2.26.2