False positive "syntax errors" in Fedora distribution policy
Closed this issue · 2 comments
vmojzis commented
Hi,
selint is reporting syntax errors in Fedora distribution policy which compiles and works properly with the latest upstream userspace code.
Reproducer:
$ cat <<EOF >> test.te
policy_module(test, 1.0.0)
type test_t;
userfaultfd_anon_inode_perms(test_t)
EOF
$ git clone https://github.com/fedora-selinux/selinux-policy.git
$ selint -s -r --context=selinux-policy test.te
obj_perm_sets.spt: 284: (F): syntax error, unexpected COMMENT (F-001)
284 | # deprecated 2022.02.07
| ^~~~~~~~~~~~~~~~~~~~~~~
Warning: Failed to permission and class set macros from base-policy/policy/support/obj_perm_sets.spt: 6
sandbox.te: 52: (F): syntax error, unexpected DASH (F-001)
52 | files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t )
| ^
sandbox.te: 52: (F): Error: Invalid statement (F-001)
52 | files_rw_all_inherited_files(sandbox_domain, -exec_type -configfile -usr_t -lib_t -locale_t -var_t -var_run_t -device_t -rpm_log_t )
| ^~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Error: Failed to parse files
When the problematic comment is removed, selint still doesn't like the refpolicywarn (based on a quick look at the parser it looks like "refpolicywarn" is only allowed to be placed after the "string_list").
obj_perm_sets.spt: 284: (F): syntax error, unexpected REFPOLICYWARN (F-001)
284 | refpolicywarn(`userfaultfd_anon_inode_perms() is deprecated, please use common_inode_perms() instead.')
| ^~~~~~~~~~~~~
vmojzis commented
Note that selint 1.1.0 only reports
obj_perm_sets.spt: 285: (F): syntax error, unexpected REFPOLICYWARN (F-001)
Warning: Failed to load obj_perm_sets.spt: 6
and is fine with the comment and "-type" notation.
dburgener commented
Thanks for the report. I can reproduce locally and am looking into updating the parser.