Re: secilc genfscon parsing error

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Dominick Grift <dominick.grift@xxxxxxxxxxx> writes:

Whoops that was wrong (not sure why that worked), this should be ok
(still works):

root@brutus:~# cat > mytest.cil <<EOF

(block foo (blockinherit .sysfile.base_template) (genfscon sysfs "/foo" file sysfile_context))
   
EOF
root@brutus:~# semodule -i mytest.cil
root@brutus:~# seinfo --genfscon | grep foo
   genfscon sysfs /foo -- sys.id:sys.role:foo.sysfile:s0
root@brutus:~# 

> Matthew Sheets <masheets@xxxxxxxxxxxxxxxxxxx> writes:
>
>> Hi,
>>
>> I am seeing a parsing error from secilc when trying to compile the
>> following line:
>> (genfscon sysfs "/zap" file (system_u object_r foo ((s0) (s0))))
>
> Works fine here (unless i am overlooking something:
>
> root@brutus:~# cat > mytest.cil <<EOF
>> (blockinherit .sysfile.base_template)
>> EOF
> root@brutus:~# cat > mytest.cil <<EOF
>> (block foo (blockinherit .sysfile.base_template) (genfscon "/foo" file sysfile_context))
>> EOF
> root@brutus:~# semodule -i mytest.cil
> root@brutus:~# echo $?
> 0
> root@brutus:~# seinfo --genfscon | grep foo
>    genfscon /foo file  sys.id:sys.role:foo.sysfile:s0
> root@brutus:~# 
>
>>
>> But according to the documentation here:
>> https://github.com/SELinuxProject/selinux/blob/master/secilc/docs/cil_file_labeling_statements.md#genfscon
>> I believe this should be a valid line.
>>
>> The compiler error given is:
>> Invalid syntax
>> Bad genfscon declaration at out.cil:129
>> Failed to build AST
>> Failed to compile cildb: -1
>>
>> If I remove the file keyword everything compiles correctly.
>>
>> Other interesting points of data:
>>
>> In ref policy there is the following line in selinux.te
>> genfscon selinuxfs /booleans/ -- gen_context(system_u:object_r:boolean_t,s0)
>>
>> When compiling this to cil with checkpolicy the following line is produced:
>> (genfscon selinuxfs "/booleans/" (system_u object_r boolean_t
>> (systemlow systemlow)))
>> Which has no reference to the optional file_type field.
>>

-- 
gpg --locate-keys dominick.grift@xxxxxxxxxxx
Key fingerprint = FCD2 3660 5D6B 9D27 7FC6  E0FF DA7E 521F 10F6 4098
Dominick Grift
[Index of Archives]     [Selinux Refpolicy]     [Linux SGX]     [Fedora Users]     [Fedora Desktop]     [Yosemite Photos]     [Yosemite Camping]     [Yosemite Campsites]     [KDE Users]     [Gnome Users]

  Powered by Linux