SELinux Archive on
 help / color / Atom feed
From: James Carter <>
Subject: [PATCH] libsepol: Make an unknown permission an error in CIL
Date: Thu, 12 Sep 2019 14:30:35 -0400
Message-ID: <> (raw)

This patch is loosely based on a patch by Yuli Khodorkovskiy
<> from June 13th, 2019.

Since any permission used in the policy should be defined, CIL
should return an error if it cannot resolve a permission used
in a policy. This was the original behavior of CIL.

The behavior was changed over three commits from July to November
2016 (See commits 46e157b47, da51020d6, and 2eefb20d8). The change
was motivated by Fedora trying to remove permissions from its
policy that were never upstreamed (ex/ process ptrace_child and
capability2 compromise_kernel). Local or third party modules
compiled with those permissions would break policy updates.

After three years it seems unlikely that we need to worry about
those local and third party modules and it is time for CIL to
give an error like it should.

Signed-off-by: James Carter <>
 libsepol/cil/src/cil_resolve_ast.c | 12 ++++--------
 1 file changed, 4 insertions(+), 8 deletions(-)

diff --git a/libsepol/cil/src/cil_resolve_ast.c b/libsepol/cil/src/cil_resolve_ast.c
index ea08087d..863d9fe8 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -131,18 +131,14 @@ static int __cil_resolve_perms(symtab_t *class_symtab, symtab_t *common_symtab,
 			if (rc != SEPOL_OK) {
-				struct cil_list *empty_list;
 				if (class_flavor == CIL_MAP_CLASS) {
 					cil_log(CIL_ERR, "Failed to resolve permission %s for map class\n", (char*)curr->data);
-					goto exit;
+				} else {
+					cil_log(CIL_ERR, "Failed to resolve permission %s\n", (char*)curr->data);
-				cil_log(CIL_WARN, "Failed to resolve permission %s\n", (char*)curr->data);
-				/* Use an empty list to represent unknown perm */
-				cil_list_init(&empty_list, perm_strs->flavor);
-				cil_list_append(*perm_datums, CIL_LIST, empty_list);
-			} else {
-				cil_list_append(*perm_datums, CIL_DATUM, perm_datum);
+				goto exit;
+			cil_list_append(*perm_datums, CIL_DATUM, perm_datum);
 		} else {
 			cil_list_append(*perm_datums, curr->flavor, curr->data);

                 reply index

Thread overview: [no followups] expand[flat|nested]  mbox.gz  Atom feed

Reply instructions:

You may reply publically to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \ \ \ \

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

SELinux Archive on

Archives are clonable:
	git clone --mirror selinux/git/0.git

	# If you have public-inbox 1.1+ installed, you may
	# initialize and index your mirror using the following commands:
	public-inbox-init -V2 selinux selinux/ \
	public-inbox-index selinux

Newsgroup available over NNTP:

AGPL code for this site: git clone public-inbox