Matthew Sheets <masheets@xxxxxxxxxxxxxxxxxxx> writes: > Hi, > > I am seeing a parsing error from secilc when trying to compile the > following line: > (genfscon sysfs "/zap" file (system_u object_r foo ((s0) (s0)))) Works fine here (unless i am overlooking something: root@brutus:~# cat > mytest.cil <<EOF > (blockinherit .sysfile.base_template) > EOF root@brutus:~# cat > mytest.cil <<EOF > (block foo (blockinherit .sysfile.base_template) (genfscon "/foo" file sysfile_context)) > EOF root@brutus:~# semodule -i mytest.cil root@brutus:~# echo $? 0 root@brutus:~# seinfo --genfscon | grep foo genfscon /foo file sys.id:sys.role:foo.sysfile:s0 root@brutus:~# > > But according to the documentation here: > https://github.com/SELinuxProject/selinux/blob/master/secilc/docs/cil_file_labeling_statements.md#genfscon > I believe this should be a valid line. > > The compiler error given is: > Invalid syntax > Bad genfscon declaration at out.cil:129 > Failed to build AST > Failed to compile cildb: -1 > > If I remove the file keyword everything compiles correctly. > > Other interesting points of data: > > In ref policy there is the following line in selinux.te > genfscon selinuxfs /booleans/ -- gen_context(system_u:object_r:boolean_t,s0) > > When compiling this to cil with checkpolicy the following line is produced: > (genfscon selinuxfs "/booleans/" (system_u object_r boolean_t > (systemlow systemlow))) > Which has no reference to the optional file_type field. > -- gpg --locate-keys dominick.grift@xxxxxxxxxxx Key fingerprint = FCD2 3660 5D6B 9D27 7FC6 E0FF DA7E 521F 10F6 4098 Dominick Grift
