On 11/23/2022 11:13 AM, Dominick Grift wrote:
Dominick Grift <dominick.grift@xxxxxxxxxxx> writes:
Whoops that was wrong (not sure why that worked), this should be ok
(still works):
root@brutus:~# cat > mytest.cil <<EOF
(block foo (blockinherit .sysfile.base_template) (genfscon sysfs "/foo" file sysfile_context))
EOF
root@brutus:~# semodule -i mytest.cil
root@brutus:~# seinfo --genfscon | grep foo
genfscon sysfs /foo -- sys.id:sys.role:foo.sysfile:s0
root@brutus:~#
Matthew Sheets <masheets@xxxxxxxxxxxxxxxxxxx> writes:
Hi,
I am seeing a parsing error from secilc when trying to compile the
following line:
(genfscon sysfs "/zap" file (system_u object_r foo ((s0) (s0))))
Works fine here (unless i am overlooking something:
root@brutus:~# cat > mytest.cil <<EOF
(blockinherit .sysfile.base_template)
EOF
root@brutus:~# cat > mytest.cil <<EOF
(block foo (blockinherit .sysfile.base_template) (genfscon "/foo" file sysfile_context))
EOF
root@brutus:~# semodule -i mytest.cil
root@brutus:~# echo $?
0
root@brutus:~# seinfo --genfscon | grep foo
genfscon /foo file sys.id:sys.role:foo.sysfile:s0
root@brutus:~#
But according to the documentation here:
https://github.com/SELinuxProject/selinux/blob/master/secilc/docs/cil_file_labeling_statements.md#genfscon
I believe this should be a valid line.
The compiler error given is:
Invalid syntax
Bad genfscon declaration at out.cil:129
Failed to build AST
Failed to compile cildb: -1
If I remove the file keyword everything compiles correctly.
Other interesting points of data:
In ref policy there is the following line in selinux.te
genfscon selinuxfs /booleans/ -- gen_context(system_u:object_r:boolean_t,s0)
When compiling this to cil with checkpolicy the following line is produced:
(genfscon selinuxfs "/booleans/" (system_u object_r boolean_t
(systemlow systemlow)))
Which has no reference to the optional file_type field.
I figured it out. I had two versions of libsepol.so and was linking to
the older one. Thanks for the help.
