Re: [PATCH 2/2] sepolicy: Fix sorting of port_strings in python 3

[Stephen Smalley]

On Fri, 2017-06-02 at 22:01 +0200, Petr Lautrbach wrote:
> Fixes:
> $ sepolicy network -d httpd_t
> 
> httpd_t: tcp name_connect
> Traceback (most recent call last):
>   File /usr/bin/sepolicy, line 699, in 
> args.func(args)
>   File /usr/bin/sepolicy, line 319, in network
> _print_net(d, tcp, name_connect)
>   File /usr/bin/sepolicy, line 276, in _print_net
> port_strings.sort(numcmp)
> TypeError: must use keyword argument for key function
> 
> Signed-off-by: Petr Lautrbach 

Thanks, applied both.

> ---
>  python/sepolicy/sepolicy.py | 18 ++
>  1 file changed, 6 insertions(+), 12 deletions(-)
> 
> diff --git a/python/sepolicy/sepolicy.py
> b/python/sepolicy/sepolicy.py
> index 5bf9b526..141f64ec 100755
> --- a/python/sepolicy/sepolicy.py
> +++ b/python/sepolicy/sepolicy.py
> @@ -241,19 +241,13 @@ def generate_custom_usage(usage_text,
> usage_dict):
>  
>  return usage_text
>  
> -
> -def numcmp(val1, val2):
> +# expects formats:
> +# "22 (sshd_t)", "80, 8080 (httpd_t)", "all ports (port_type)"
> +def port_string_to_num(val):
>  try:
> -v1 = int(val1.split(",")[0].split("-")[0])
> -v2 = int(val2.split(",")[0].split("-")[0])
> -if v1 > v2:
> -return 1
> -if v1 == v2:
> -return 0
> -if v1 < v2:
> -return -1
> +return int(val.split(" ")[0].split(",")[0].split("-")[0])
>  except:
> -return cmp(val1, val2)
> +return 
>  
>  
>  def _print_net(src, protocol, perm):
> @@ -273,7 +267,7 @@ def _print_net(src, protocol, perm):
>  port_strings.append("%s (%s) %s" % (",
> ".join(recs), t, boolean_text))
>  else:
>  port_strings.append("%s (%s)" % (",
> ".join(recs), t))
> -port_strings.sort(numcmp)
> +port_strings.sort(key=lambda param:
> port_string_to_num(param))
>  for p in port_strings:
>  print("\t" + p)
>  

[PATCH 2/2] sepolicy: Fix sorting of port_strings in python 3

[Petr Lautrbach]

Fixes:
$ sepolicy network -d httpd_t

httpd_t: tcp name_connect
Traceback (most recent call last):
  File /usr/bin/sepolicy, line 699, in 
args.func(args)
  File /usr/bin/sepolicy, line 319, in network
_print_net(d, tcp, name_connect)
  File /usr/bin/sepolicy, line 276, in _print_net
port_strings.sort(numcmp)
TypeError: must use keyword argument for key function

Signed-off-by: Petr Lautrbach 
---
 python/sepolicy/sepolicy.py | 18 ++
 1 file changed, 6 insertions(+), 12 deletions(-)

diff --git a/python/sepolicy/sepolicy.py b/python/sepolicy/sepolicy.py
index 5bf9b526..141f64ec 100755
--- a/python/sepolicy/sepolicy.py
+++ b/python/sepolicy/sepolicy.py
@@ -241,19 +241,13 @@ def generate_custom_usage(usage_text, usage_dict):
 
 return usage_text
 
-
-def numcmp(val1, val2):
+# expects formats:
+# "22 (sshd_t)", "80, 8080 (httpd_t)", "all ports (port_type)"
+def port_string_to_num(val):
 try:
-v1 = int(val1.split(",")[0].split("-")[0])
-v2 = int(val2.split(",")[0].split("-")[0])
-if v1 > v2:
-return 1
-if v1 == v2:
-return 0
-if v1 < v2:
-return -1
+return int(val.split(" ")[0].split(",")[0].split("-")[0])
 except:
-return cmp(val1, val2)
+return 
 
 
 def _print_net(src, protocol, perm):
@@ -273,7 +267,7 @@ def _print_net(src, protocol, perm):
 port_strings.append("%s (%s) %s" % (", ".join(recs), t, 
boolean_text))
 else:
 port_strings.append("%s (%s)" % (", ".join(recs), t))
-port_strings.sort(numcmp)
+port_strings.sort(key=lambda param: port_string_to_num(param))
 for p in port_strings:
 print("\t" + p)
 
-- 
2.13.0

[PATCH 1/2] sepolicy/interface: Use relative python 3 imports

[Petr Lautrbach]

Fixes:
Verify sepolicy interface -c -i works ... Traceback (most recent call last):
  File "/usr/bin/sepolicy", line 699, in 
args.func(args)
  File "/usr/bin/sepolicy", line 508, in interface
print_interfaces(args.interfaces, args)
  File "/usr/bin/sepolicy", line 492, in print_interfaces
interface_compile_test(i)
  File "/usr/lib/python3.6/site-packages/sepolicy/interface.py", line 226, in 
interface_compile_test
fd.write(generate_compile_te(interface, idict))
  File "/usr/lib/python3.6/site-packages/sepolicy/interface.py", line 184, in 
generate_compile_te
from templates import test_module
ModuleNotFoundError: No module named 'templates'

Signed-off-by: Petr Lautrbach 
---
 python/sepolicy/sepolicy/interface.py | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/python/sepolicy/sepolicy/interface.py 
b/python/sepolicy/sepolicy/interface.py
index 8956f394..c64122e5 100644
--- a/python/sepolicy/sepolicy/interface.py
+++ b/python/sepolicy/sepolicy/interface.py
@@ -171,7 +171,7 @@ def get_interface_format_text(interface, 
path="/usr/share/selinux/devel/policy.x
 
 
 def get_interface_compile_format_text(interfaces_dict, interface):
-from templates import test_module
+from .templates import test_module
 param_tmp = []
 for i in interfaces_dict[interface][0]:
 param_tmp.append(test_module.dict_values[i])
@@ -181,7 +181,7 @@ def get_interface_compile_format_text(interfaces_dict, 
interface):
 
 
 def generate_compile_te(interface, idict, name="compiletest"):
-from templates import test_module
+from .templates import test_module
 te = ""
 te += re.sub("TEMPLATETYPE", name, test_module.te_test_module)
 te += get_interface_compile_format_text(idict, interface)
-- 
2.13.0

[no subject]

[Petr Lautrbach]

The following patches fix sepolicy python3 issues found by
`make test` in python/sepolicy 

Re: last call for selinux 2.7-rc1 release

[Stephen Smalley]

On Fri, 2017-04-21 at 10:04 -0400, Stephen Smalley wrote:
> Hi,
> 
> We plan to cut a 2.7-rc1 selinux userspace release in the next week
> or
> so.  If you have any additional patches you want included in 2.7,
> please post them to the list soon.

This took longer than anticipated due to patch volume and wanting to
get certain features and bug fixes in place, but I think we should be
ready to cut an -rc1 release next week.

Re: [PATCH] libsepol/cil: fix error check in new cil_resolve_name

[jwcart2]

On 06/02/2017 07:21 AM, Steve Lawrence wrote:

This prevented cil_resolve_name() from returning an actual thing when a
name resolved to an alias. This appears to have only affected resolution
dealing with sensitivity and category aliases. Type aliases were not
affected since places that dealt with types handled type aliases
specifically and did not rely on this behavior from cil_resolve_name().

Signed-off-by: Steve Lawrence 


Applied.

Thanks,
Jim


---
  libsepol/cil/src/cil_resolve_ast.c | 2 +-
  1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/libsepol/cil/src/cil_resolve_ast.c 
b/libsepol/cil/src/cil_resolve_ast.c
index fc44a5e..d1a5ed8 100644
--- a/libsepol/cil/src/cil_resolve_ast.c
+++ b/libsepol/cil/src/cil_resolve_ast.c
@@ -4125,7 +4125,7 @@ int cil_resolve_name(struct cil_tree_node *ast_node, char 
*name, enum cil_sym_in
struct cil_tree_node *node = NULL;
  
  	rc = cil_resolve_name_keep_aliases(ast_node, name, sym_index, extra_args, datum);

-   if (rc != SEPOL_ERR) {
+   if (rc != SEPOL_OK) {
goto exit;
}
  




--
James Carter 
National Security Agency

Re: [PATCH security-next 2/2] selinux: use pernet operations for hook registration

[Paul Moore]

On Wed, Apr 26, 2017 at 4:47 PM, Paul Moore  wrote:
> On Wed, Apr 26, 2017 at 4:46 PM, Paul Moore  wrote:
>> On Fri, Apr 21, 2017 at 5:49 AM, Florian Westphal  wrote:
>>> It will allow us to remove the old netfilter hook api in the near future.
>>>
>>> Signed-off-by: Florian Westphal 
>>> ---
>>>  security/selinux/hooks.c | 24 
>>>  1 file changed, 20 insertions(+), 4 deletions(-)
>>
>> Looks fine to me, I'm going to queue this up for after the v4.12 merge 
>> window.
>
> ... and I just realized that the SELinux list wasn't CC'd on this
> patch, fixing that now.

Merged, thanks.

-- 
paul moore
www.paul-moore.com

Re: [PATCH v2] security/selinux: allow security_sb_clone_mnt_opts to enable/disable native labeling behavior

[Stephen Smalley]

On Thu, 2017-06-01 at 16:59 -0400, Scott Mayhew wrote:
> When an NFSv4 client performs a mount operation, it first mounts the
> NFSv4 root and then does path walk to the exported path and performs
> a
> submount on that, cloning the security mount options from the root's
> superblock to the submount's superblock in the process.
> 
> Unless the NFS server has an explicit fsid=0 export with the
> "security_label" option, the NFSv4 root superblock will not have
> SBLABEL_MNT set, and neither will the submount superblock after
> cloning
> the security mount options.  As a result, setxattr's of security
> labels
> over NFSv4.2 will fail.  In a similar fashion, NFSv4.2 mounts mounted
> with the context= mount option will not show the correct labels
> because
> the nfs_server->caps flags of the cloned superblock will still have
> NFS_CAP_SECURITY_LABEL set.
> 
> Allowing the NFSv4 client to enable or disable
> SECURITY_LSM_NATIVE_LABELS
> behavior will ensure that the SBLABEL_MNT flag has the correct value
> when the client traverses from an exported path without the
> "security_label" option to one with the "security_label" option and
> vice versa.  Similarly, checking to see if SECURITY_LSM_NATIVE_LABELS
> is
> set upon return from security_sb_clone_mnt_opts() and clearing
> NFS_CAP_SECURITY_LABEL if necessary will allow the correct labels to
> be displayed for NFSv4.2 mounts mounted with the context= mount
> option.
> 
> Signed-off-by: Scott Mayhew 
> ---
>  fs/nfs/super.c| 18 +-
>  include/linux/lsm_hooks.h |  4 +++-
>  include/linux/security.h  |  8 ++--
>  security/security.c   |  7 +--
>  security/selinux/hooks.c  | 35 +--
>  5 files changed, 64 insertions(+), 8 deletions(-)

What tree is this against? Doesn't apply cleanly on selinux #next.

> 
> diff --git a/fs/nfs/super.c b/fs/nfs/super.c
> index 2f3822a..ffded39 100644
> --- a/fs/nfs/super.c
> +++ b/fs/nfs/super.c
> @@ -2544,10 +2544,26 @@ EXPORT_SYMBOL_GPL(nfs_set_sb_security);
>  int nfs_clone_sb_security(struct super_block *s, struct dentry
> *mntroot,
>     struct nfs_mount_info *mount_info)
>  {
> + int error;
> + unsigned long kflags = 0, kflags_out = 0;
> +
>   /* clone any lsm security options from the parent to the new
> sb */
>   if (d_inode(mntroot)->i_op != NFS_SB(s)->nfs_client-
> >rpc_ops->dir_inode_ops)
>   return -ESTALE;
> - return security_sb_clone_mnt_opts(mount_info->cloned->sb,
> s);
> +
> + if (NFS_SB(s)->caps & NFS_CAP_SECURITY_LABEL)
> + kflags |= SECURITY_LSM_NATIVE_LABELS;
> +
> + error = security_sb_clone_mnt_opts(mount_info->cloned->sb,
> s, kflags,
> + _out);
> + if (error)
> + return error;
> +
> + if (NFS_SB(s)->caps & NFS_CAP_SECURITY_LABEL &&
> + !(kflags_out & SECURITY_LSM_NATIVE_LABELS))
> + NFS_SB(s)->caps &= ~NFS_CAP_SECURITY_LABEL;
> + return error;

This can just be return 0, right?

> +
>  }
>  EXPORT_SYMBOL_GPL(nfs_clone_sb_security);
>  
> diff --git a/include/linux/lsm_hooks.h b/include/linux/lsm_hooks.h
> index 080f34e..2f54bfb 100644
> --- a/include/linux/lsm_hooks.h
> +++ b/include/linux/lsm_hooks.h
> @@ -1388,7 +1388,9 @@ union security_list_options {
>   unsigned long kern_flags,
>   unsigned long *set_kern_flags);
>   int (*sb_clone_mnt_opts)(const struct super_block *oldsb,
> - struct super_block *newsb);
> + struct super_block *newsb,
> + unsigned long kern_flags,
> + unsigned long
> *set_kern_flags);
>   int (*sb_parse_opts_str)(char *options, struct
> security_mnt_opts *opts);
>   int (*dentry_init_security)(struct dentry *dentry, int mode,
>   const struct qstr *name,
> void **ctx,
> diff --git a/include/linux/security.h b/include/linux/security.h
> index af675b5..a55ae9c 100644
> --- a/include/linux/security.h
> +++ b/include/linux/security.h
> @@ -240,7 +240,9 @@ int security_sb_set_mnt_opts(struct super_block
> *sb,
>   unsigned long kern_flags,
>   unsigned long *set_kern_flags);
>  int security_sb_clone_mnt_opts(const struct super_block *oldsb,
> - struct super_block *newsb);
> + struct super_block *newsb,
> + unsigned long kern_flags,
> + unsigned long *set_kern_flags);
>  int security_sb_parse_opts_str(char *options, struct
> security_mnt_opts *opts);
>  int security_dentry_init_security(struct dentry *dentry, int mode,
>   const struct qstr *name,
> void **ctx,
> @@ -581,7 +583,9 @@ static inline int 

Re: [PATCH] libsepol/cil: better error message with duplicate aliases + support aliases to aliases

[Dominick Grift]

On Fri, Jun 02, 2017 at 07:12:25AM -0400, Steve Lawrence wrote:
> On 06/02/2017 05:18 AM, Dominick Grift wrote:
> > On Thu, Jun 01, 2017 at 11:37:11PM +0200, Nicolas Iooss wrote:
> >> On Thu, Jun 1, 2017 at 7:05 PM, jwcart2  wrote:
> >>> On 06/01/2017 09:23 AM, Steve Lawrence wrote:
> 
>  - If two typealiasactual statements exist for the same typealias, we get
> a confusing error message mentioning that the actual arguement is not
> an alias, which is clearly allowed. This poor error occurs because the
> first typealiasactual statement resolves correctly, but when we
> resolve the alias in the second typealiasactual statement,
> cil_resolve_name tries to return what the alias points to, which is a
> type and not the required typealias. This patch creates a new function
> that does not perform the alias to actual conversion, used when we
> want an alias and not what the alias points to. This allows the
> cil_resolve_aliasactual to continue and reach the check for duplicate
> typealiasactual statements, resulting in a more meaningful error
> message.
> 
>  - Add back support for aliases to aliases (broken in 5c9fcb02e),
> while still ensuring that aliases point to either the correct actual
> flavor or alias flavor, and not something else like a typeattribute.
> 
>  Signed-off-by: Steve Lawrence 
> >>>
> >>>
> >>> I didn't even think of the case of an alias of an alias. Applied.
> >>>
> >>> Thanks,
> >>> Jim
> >>
> >> Hello,
> >> This patch broke secilc's test case. From secilc/ directory:
> >>
> >> $ ./secilc test/policy.cil
> >> cat0 is not a category. Only categories are allowed in
> >> categoryorder statements
> >> Failed to compile cildb: -1
> >>
> >> cat0 is defined as a categoryalias in secilc/test/policy.cil and is
> >> used in "(categoryorder (cat0 c1 c2 c3))". I do not have time right
> >> now to investigate further what is causing the issue, but reverting
> >> this commit (e501d3b6e8d2) fixes "make test".
> 
> Looks like an incorrect error check in the recent patch I sent out. It
> appears like typealiases are handled in many parts of the code and do
> not rely on cil_resolve_name to convert to the actual, so typealias
> appear to not be affected. But category and sensitivity resolution does
> rely on cil_resolve_name to do the conversion. A patch is coming to fix
> this.
> 
> >> Nicolas
> >> PS: if anyone is interested in the Travis-CI output of this bug, it is
> >> available on https://travis-ci.org/fishilico/selinux/builds/238505788
> >> .
> > 
> > There is still at least one typealias issue:
> > 
> > for example, as said, i have:
> > 
> > (typealias rpm_script_t)
> > (typealiasactual rpm_script_t rpm.script.subj)
> > 
> > where rpm.script.subj is a valid declared type
> > 
> > However when i, in addition and by mistake, try to declare rpm.script.subj 
> > typealias as per:
> > 
> > (typealias rpm.script.subj)
> 
> This is illegal syntax. Just like you cannot define a type as
> 
>   (type foo.bar.baz)
> 
> Instead, you need to use blocks if you want to namespace a typealias.
> 
>   (block rpm
> (block script
>   (typealias subj)
> )
>   )
> 
> > 
> > then it does not return: Re-declaration of typealias rpm.script.subj
> 
> Re-declaration checks happen in resolution, but since this is a syntax
> error it never even gets that far to do the check. The below error is
> expected.

Makes sense, thanks

> 
> > 
> > instead it returns:
> > 
> > Invalid character "." in rpm.script.subj
> > Invalid name
> > Failed to create node
> > 
> > This does "work" however with non-name spaced types:
> > 
> > (type a)
> > (typealias b)
> > (typealiasactual b a)
> > (typealias a)
> 
> This causes an error for me:

Yes, that is what i mean with "does work". It fails as expected but the error 
message makes sense.

Alright thanks that settles that then

> 
>   Re-declaration of typealias a
>   Failed to create node
>   Bad typealias declaration at policy.cil:13
> 
> That error is correct. You cannot define a type and typealias with the
> same name.
> 
> > regardless: the segfaults are gone. Thanks for this
> > 
> >>
> >>>
> >>>
>  ---
>    libsepol/cil/src/cil_resolve_ast.c | 48
>  --
>    libsepol/cil/src/cil_resolve_ast.h |  1 +
>    2 files changed, 32 insertions(+), 17 deletions(-)
> 
>  diff --git a/libsepol/cil/src/cil_resolve_ast.c
>  b/libsepol/cil/src/cil_resolve_ast.c
>  index 5c26530..fc44a5e 100644
>  --- a/libsepol/cil/src/cil_resolve_ast.c
>  +++ b/libsepol/cil/src/cil_resolve_ast.c
>  @@ -515,7 +515,7 @@ int cil_resolve_aliasactual(struct cil_tree_node
>  *current, void *extra_args, enu
>  goto exit;
>  }
>    - rc = cil_resolve_name(current, aliasactual->alias_str, sym_index,
>  

Re: [PATCH] libsepol/cil: better error message with duplicate aliases + support aliases to aliases

[Steve Lawrence]

On 06/02/2017 05:18 AM, Dominick Grift wrote:
> On Thu, Jun 01, 2017 at 11:37:11PM +0200, Nicolas Iooss wrote:
>> On Thu, Jun 1, 2017 at 7:05 PM, jwcart2  wrote:
>>> On 06/01/2017 09:23 AM, Steve Lawrence wrote:

 - If two typealiasactual statements exist for the same typealias, we get
a confusing error message mentioning that the actual arguement is not
an alias, which is clearly allowed. This poor error occurs because the
first typealiasactual statement resolves correctly, but when we
resolve the alias in the second typealiasactual statement,
cil_resolve_name tries to return what the alias points to, which is a
type and not the required typealias. This patch creates a new function
that does not perform the alias to actual conversion, used when we
want an alias and not what the alias points to. This allows the
cil_resolve_aliasactual to continue and reach the check for duplicate
typealiasactual statements, resulting in a more meaningful error
message.

 - Add back support for aliases to aliases (broken in 5c9fcb02e),
while still ensuring that aliases point to either the correct actual
flavor or alias flavor, and not something else like a typeattribute.

 Signed-off-by: Steve Lawrence 
>>>
>>>
>>> I didn't even think of the case of an alias of an alias. Applied.
>>>
>>> Thanks,
>>> Jim
>>
>> Hello,
>> This patch broke secilc's test case. From secilc/ directory:
>>
>> $ ./secilc test/policy.cil
>> cat0 is not a category. Only categories are allowed in
>> categoryorder statements
>> Failed to compile cildb: -1
>>
>> cat0 is defined as a categoryalias in secilc/test/policy.cil and is
>> used in "(categoryorder (cat0 c1 c2 c3))". I do not have time right
>> now to investigate further what is causing the issue, but reverting
>> this commit (e501d3b6e8d2) fixes "make test".

Looks like an incorrect error check in the recent patch I sent out. It
appears like typealiases are handled in many parts of the code and do
not rely on cil_resolve_name to convert to the actual, so typealias
appear to not be affected. But category and sensitivity resolution does
rely on cil_resolve_name to do the conversion. A patch is coming to fix
this.

>> Nicolas
>> PS: if anyone is interested in the Travis-CI output of this bug, it is
>> available on https://travis-ci.org/fishilico/selinux/builds/238505788
>> .
> 
> There is still at least one typealias issue:
> 
> for example, as said, i have:
> 
> (typealias rpm_script_t)
> (typealiasactual rpm_script_t rpm.script.subj)
> 
> where rpm.script.subj is a valid declared type
> 
> However when i, in addition and by mistake, try to declare rpm.script.subj 
> typealias as per:
> 
> (typealias rpm.script.subj)

This is illegal syntax. Just like you cannot define a type as

  (type foo.bar.baz)

Instead, you need to use blocks if you want to namespace a typealias.

  (block rpm
(block script
  (typealias subj)
)
  )

> 
> then it does not return: Re-declaration of typealias rpm.script.subj

Re-declaration checks happen in resolution, but since this is a syntax
error it never even gets that far to do the check. The below error is
expected.

> 
> instead it returns:
> 
> Invalid character "." in rpm.script.subj
> Invalid name
> Failed to create node
> 
> This does "work" however with non-name spaced types:
> 
> (type a)
> (typealias b)
> (typealiasactual b a)
> (typealias a)

This causes an error for me:

  Re-declaration of typealias a
  Failed to create node
  Bad typealias declaration at policy.cil:13

That error is correct. You cannot define a type and typealias with the
same name.

> regardless: the segfaults are gone. Thanks for this
> 
>>
>>>
>>>
 ---
   libsepol/cil/src/cil_resolve_ast.c | 48
 --
   libsepol/cil/src/cil_resolve_ast.h |  1 +
   2 files changed, 32 insertions(+), 17 deletions(-)

 diff --git a/libsepol/cil/src/cil_resolve_ast.c
 b/libsepol/cil/src/cil_resolve_ast.c
 index 5c26530..fc44a5e 100644
 --- a/libsepol/cil/src/cil_resolve_ast.c
 +++ b/libsepol/cil/src/cil_resolve_ast.c
 @@ -515,7 +515,7 @@ int cil_resolve_aliasactual(struct cil_tree_node
 *current, void *extra_args, enu
 goto exit;
 }
   - rc = cil_resolve_name(current, aliasactual->alias_str, sym_index,
 extra_args, _datum);
 +   rc = cil_resolve_name_keep_aliases(current,
 aliasactual->alias_str, sym_index, extra_args, _datum);
 if (rc != SEPOL_OK) {
 goto exit;
 }
 @@ -530,7 +530,7 @@ int cil_resolve_aliasactual(struct cil_tree_node
 *current, void *extra_args, enu
 goto exit;
 }
   - if (NODE(actual_datum)->flavor != flavor) {
 +   if (NODE(actual_datum)->flavor != flavor &&

Re: [PATCH] libsepol/cil: better error message with duplicate aliases + support aliases to aliases

[Dominick Grift]

On Thu, Jun 01, 2017 at 11:37:11PM +0200, Nicolas Iooss wrote:
> On Thu, Jun 1, 2017 at 7:05 PM, jwcart2  wrote:
> > On 06/01/2017 09:23 AM, Steve Lawrence wrote:
> >>
> >> - If two typealiasactual statements exist for the same typealias, we get
> >>a confusing error message mentioning that the actual arguement is not
> >>an alias, which is clearly allowed. This poor error occurs because the
> >>first typealiasactual statement resolves correctly, but when we
> >>resolve the alias in the second typealiasactual statement,
> >>cil_resolve_name tries to return what the alias points to, which is a
> >>type and not the required typealias. This patch creates a new function
> >>that does not perform the alias to actual conversion, used when we
> >>want an alias and not what the alias points to. This allows the
> >>cil_resolve_aliasactual to continue and reach the check for duplicate
> >>typealiasactual statements, resulting in a more meaningful error
> >>message.
> >>
> >> - Add back support for aliases to aliases (broken in 5c9fcb02e),
> >>while still ensuring that aliases point to either the correct actual
> >>flavor or alias flavor, and not something else like a typeattribute.
> >>
> >> Signed-off-by: Steve Lawrence 
> >
> >
> > I didn't even think of the case of an alias of an alias. Applied.
> >
> > Thanks,
> > Jim
> 
> Hello,
> This patch broke secilc's test case. From secilc/ directory:
> 
> $ ./secilc test/policy.cil
> cat0 is not a category. Only categories are allowed in
> categoryorder statements
> Failed to compile cildb: -1
> 
> cat0 is defined as a categoryalias in secilc/test/policy.cil and is
> used in "(categoryorder (cat0 c1 c2 c3))". I do not have time right
> now to investigate further what is causing the issue, but reverting
> this commit (e501d3b6e8d2) fixes "make test".
> 
> Nicolas
> PS: if anyone is interested in the Travis-CI output of this bug, it is
> available on https://travis-ci.org/fishilico/selinux/builds/238505788
> .

There is still at least one typealias issue:

for example, as said, i have:

(typealias rpm_script_t)
(typealiasactual rpm_script_t rpm.script.subj)

where rpm.script.subj is a valid declared type

However when i, in addition and by mistake, try to declare rpm.script.subj 
typealias as per:

(typealias rpm.script.subj)

then it does not return: Re-declaration of typealias rpm.script.subj

instead it returns:

Invalid character "." in rpm.script.subj
Invalid name
Failed to create node

This does "work" however with non-name spaced types:

(type a)
(typealias b)
(typealiasactual b a)
(typealias a)

regardless: the segfaults are gone. Thanks for this

> 
> >
> >
> >> ---
> >>   libsepol/cil/src/cil_resolve_ast.c | 48
> >> --
> >>   libsepol/cil/src/cil_resolve_ast.h |  1 +
> >>   2 files changed, 32 insertions(+), 17 deletions(-)
> >>
> >> diff --git a/libsepol/cil/src/cil_resolve_ast.c
> >> b/libsepol/cil/src/cil_resolve_ast.c
> >> index 5c26530..fc44a5e 100644
> >> --- a/libsepol/cil/src/cil_resolve_ast.c
> >> +++ b/libsepol/cil/src/cil_resolve_ast.c
> >> @@ -515,7 +515,7 @@ int cil_resolve_aliasactual(struct cil_tree_node
> >> *current, void *extra_args, enu
> >> goto exit;
> >> }
> >>   - rc = cil_resolve_name(current, aliasactual->alias_str, sym_index,
> >> extra_args, _datum);
> >> +   rc = cil_resolve_name_keep_aliases(current,
> >> aliasactual->alias_str, sym_index, extra_args, _datum);
> >> if (rc != SEPOL_OK) {
> >> goto exit;
> >> }
> >> @@ -530,7 +530,7 @@ int cil_resolve_aliasactual(struct cil_tree_node
> >> *current, void *extra_args, enu
> >> goto exit;
> >> }
> >>   - if (NODE(actual_datum)->flavor != flavor) {
> >> +   if (NODE(actual_datum)->flavor != flavor &&
> >> NODE(actual_datum)->flavor != alias_flavor) {
> >> cil_log(CIL_ERR, "%s is a %s, but aliases a %s\n",
> >> alias_datum->name, cil_node_to_string(NODE(alias_datum)),
> >> cil_node_to_string(NODE(actual_datum)));
> >> rc = SEPOL_ERR;
> >> goto exit;
> >> @@ -539,7 +539,7 @@ int cil_resolve_aliasactual(struct cil_tree_node
> >> *current, void *extra_args, enu
> >> alias = (struct cil_alias *)alias_datum;
> >> if (alias->actual != NULL) {
> >> -   cil_log(CIL_ERR, "Alias cannot bind more than one
> >> value\n");
> >> +   cil_log(CIL_ERR, "%s %s cannot bind more than one
> >> value\n", cil_node_to_string(NODE(alias_datum)), alias_datum->name);
> >> rc = SEPOL_ERR;
> >> goto exit;
> >> }
> >> @@ -4122,6 +4122,34 @@ static int __cil_resolve_name_helper(struct cil_db
> >> *db, struct cil_tree_node *no
> >>   int cil_resolve_name(struct cil_tree_node *ast_node, char *name, enum
> >> cil_sym_index sym_index, void *extra_args, struct