SELinux policies contain a lot of different identifiers, like users, roles, types, attributes, booleans, level aliases, classes and permissions (non-exhaustive list). In the frontend compilers, like checkpolicy(8) and secilc(8), those are quite limited with regard to the supported character set, mainly `[A-Za-z][A-Za-z0-9-_]*`. For the vast majority of policies, and in particular the Reference and Fedora one, this range of possible identifiers should be sufficient. I'd like to discuss two shortcomings I currently see: I. Length of identifiers There seems to be no identifier length limit in checkpolicy(8) and a quite high one of 2048 in secilc(8). On the other hand netfilter secmark supports only (whole) security contexts with a length of 256 (NFT_SECMARK_CTX_MAXLEN), and all selinuxfs operations are limited around the PAGE_SIZE (4096). II. Binary Policies Parsing identifiers from a binary policy, either in userspace via libsepol or in the kernel (see str_read()), does neither impose any constraints related to character set or length. Binary policies should generally be trusted, especialy when loading them into the kernel, but this might affect future additions of SELinux namespaces or debugging foreign policies in userspace. More strict constraints of identifiers would ensure crafted identifiers (unicode, control characters, etc.) would be invalid and need no special treating in userspace or the kernel. Also the fuzzing libsepol would benefit, as the fuzzer is currently limited to an identifier limit of 65536 to avoid OOM failures. WDYT?
