On Wed, Nov 23, 2022 at 10:55 AM Matthew Sheets <masheets@xxxxxxxxxxxxxxxxxxx> wrote: > > Hi, > > I am seeing a parsing error from secilc when trying to compile the > following line: > (genfscon sysfs "/zap" file (system_u object_r foo ((s0) (s0)))) > > But according to the documentation here: > https://github.com/SELinuxProject/selinux/blob/master/secilc/docs/cil_file_labeling_statements.md#genfscon > I believe this should be a valid line. > > The compiler error given is: > Invalid syntax > Bad genfscon declaration at out.cil:129 > Failed to build AST > Failed to compile cildb: -1 > > If I remove the file keyword everything compiles correctly. > > Other interesting points of data: > > In ref policy there is the following line in selinux.te > genfscon selinuxfs /booleans/ -- gen_context(system_u:object_r:boolean_t,s0) > > When compiling this to cil with checkpolicy the following line is produced: > (genfscon selinuxfs "/booleans/" (system_u object_r boolean_t (systemlow > systemlow))) > Which has no reference to the optional file_type field. CIL did not properly handle the optional file type until a year ago. The SELinux userspace version 3.4, released last May, would be the only one that has the fix. Your rule will work with the latest release. Thanks, Jim
