[PATCH 0/5 v2] Fix/add optional file type handling for genfscon rules

[PATCH 0/5 v2] Fix/add optional file type handling for genfscon rules

[James Carter]

genfscon rules have always supported an optional file type, but when
the ability for writing a policy.conf file from a kernel policy was
added to libsepol it did not include that support. Support for the
optional file type was also left out of CIL genfscon rules.

This patch set fixes these problems.

Patch 1 adds support for writing the optional file type in genfscon rules
when writing a policy.conf file from a kernel policy.

Patches 2-5 adds support in CIL for handling an optional file type
in genfscon rules, updates the CIL documentation, and adds support
when writing out CIL from a kernel policy or module as well. 

James Carter (5):
  libsepol: Add support for file types in writing out policy.conf
  libsepol/cil: Refactor filecon file type handling
  libsepol/cil: Allow optional file type in genfscon rules
  secilc/docs: Document the optional file type for genfscon rules
  libsepol: Write out genfscon file type when writing out CIL policy

 libsepol/cil/src/cil.c                      |  6 ++-
 libsepol/cil/src/cil_binary.c               | 37 +++++++++++++
 libsepol/cil/src/cil_build_ast.c            | 49 +++++++++++++++---
 libsepol/cil/src/cil_internal.h             |  5 +-
 libsepol/cil/src/cil_write_ast.c            | 57 +++++++++++++++++----
 libsepol/src/kernel_to_cil.c                | 35 ++++++++++++-
 libsepol/src/kernel_to_conf.c               | 35 ++++++++++++-
 libsepol/src/module_to_cil.c                | 27 +++++++++-
 secilc/docs/cil_file_labeling_statements.md | 10 +++-
 9 files changed, 234 insertions(+), 27 deletions(-)

-- 
2.31.1

[PATCH 1/5 v2] libsepol: Add support for file types in writing out policy.conf

[James Carter]

Although rarely used, genfscon rules support the specification of a
file type just like the rules in a file context file. The file type
is used to make the genfscon rule apply only for a specific security
class. Currently, when writing out a policy.conf file from a kernel
policy, it is assumed that every genfscon rule applies to all security
classes and no file type will be added to the genfscon rule.

Write out the appropriate file type if the genfscon rule is only for
a specific security class (file, dir, blk_file, chr_file, fifo_file,
lnk_file, or sock_file).

Signed-off-by: James Carter <jwcart2@gmail.com>
---
v2: Reordered if else block to have a consistent ordering.

 libsepol/src/kernel_to_conf.c | 35 +++++++++++++++++++++++++++++++++--
 1 file changed, 33 insertions(+), 2 deletions(-)

diff --git a/libsepol/src/kernel_to_conf.c b/libsepol/src/kernel_to_conf.c
index eb72e4ac..9f04961a 100644
--- a/libsepol/src/kernel_to_conf.c
+++ b/libsepol/src/kernel_to_conf.c
@@ -2513,6 +2513,8 @@ static int write_genfscon_rules_to_conf(FILE *out, struct policydb *pdb)
 	struct ocontext *ocon;
 	struct strs *strs;
 	char *fstype, *name, *ctx;
+	uint32_t sclass;
+	const char *file_type;
 	int rc;
 
 	rc = strs_init(&strs, 32);
@@ -2525,14 +2527,43 @@ static int write_genfscon_rules_to_conf(FILE *out, struct policydb *pdb)
 			fstype = genfs->fstype;
 			name = ocon->u.name;
 
+			sclass = ocon->v.sclass;
+			file_type = NULL;
+			if (sclass) {
+				const char *class_name = pdb->p_class_val_to_name[sclass-1];
+				if (strcmp(class_name, "file") == 0) {
+					file_type = "--";
+				} else if (strcmp(class_name, "dir") == 0) {
+					file_type = "-d";
+				} else if (strcmp(class_name, "chr_file") == 0) {
+					file_type = "-c";
+				} else if (strcmp(class_name, "blk_file") == 0) {
+					file_type = "-b";
+				} else if (strcmp(class_name, "sock_file") == 0) {
+					file_type = "-s";
+				} else if (strcmp(class_name, "fifo_file") == 0) {
+					file_type = "-p";
+				} else if (strcmp(class_name, "lnk_file") == 0) {
+					file_type = "-l";
+				} else {
+					rc = -1;
+					goto exit;
+				}
+			}
+
 			ctx = context_to_str(pdb, &ocon->context[0]);
 			if (!ctx) {
 				rc = -1;
 				goto exit;
 			}
 
-			rc = strs_create_and_add(strs, "genfscon %s \"%s\" %s", 3,
-						 fstype, name, ctx);
+			if (file_type) {
+				rc = strs_create_and_add(strs, "genfscon %s \"%s\" %s %s", 4,
+										 fstype, name, file_type, ctx);
+			} else {
+				rc = strs_create_and_add(strs, "genfscon %s \"%s\" %s", 3,
+										 fstype, name, ctx);
+			}
 			free(ctx);
 			if (rc != 0) {
 				goto exit;
-- 
2.31.1

[PATCH 2/5 v2] libsepol/cil: Refactor filecon file type handling

[James Carter]

Prepare for the addition of an optional file type in genfscon rules
by refactoring filecon file type handling.

Make the "any" file type be the first value in enum cil_filecon_types
because it will be the most common file type.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
v2: New patch

 libsepol/cil/src/cil.c           |  5 ++++-
 libsepol/cil/src/cil_build_ast.c |  6 +++---
 libsepol/cil/src/cil_internal.h  |  4 ++--
 libsepol/cil/src/cil_write_ast.c | 30 ++++++++++++++++++++----------
 4 files changed, 29 insertions(+), 16 deletions(-)

diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
index 4cc7f87f..a152d689 100644
--- a/libsepol/cil/src/cil.c
+++ b/libsepol/cil/src/cil.c
@@ -1765,6 +1765,9 @@ int cil_filecons_to_string(struct cil_db *db, char **out, size_t *size)
 		str_tmp += buf_pos;
 
 		switch(filecon->type) {
+		case CIL_FILECON_ANY:
+			str_type = "";
+			break;
 		case CIL_FILECON_FILE:
 			str_type = "\t--";
 			break;
@@ -2530,7 +2533,7 @@ void cil_filecon_init(struct cil_filecon **filecon)
 	*filecon = cil_malloc(sizeof(**filecon));
 
 	(*filecon)->path_str = NULL;
-	(*filecon)->type = 0;
+	(*filecon)->type = CIL_FILECON_ANY;
 	(*filecon)->context_str = NULL;
 	(*filecon)->context = NULL;
 }
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index 9c34be23..6a6f4f33 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -4229,7 +4229,9 @@ int cil_gen_filecon(struct cil_db *db, struct cil_tree_node *parse_current, stru
 
 	filecon->path_str = parse_current->next->data;
 
-	if (type == CIL_KEY_FILE) {
+	if (type == CIL_KEY_ANY) {
+		filecon->type = CIL_FILECON_ANY;
+	} else if (type == CIL_KEY_FILE) {
 		filecon->type = CIL_FILECON_FILE;
 	} else if (type == CIL_KEY_DIR) {
 		filecon->type = CIL_FILECON_DIR;
@@ -4243,8 +4245,6 @@ int cil_gen_filecon(struct cil_db *db, struct cil_tree_node *parse_current, stru
 		filecon->type = CIL_FILECON_PIPE;
 	} else if (type == CIL_KEY_SYMLINK) {
 		filecon->type = CIL_FILECON_SYMLINK;
-	} else if (type == CIL_KEY_ANY) {
-		filecon->type = CIL_FILECON_ANY;
 	} else {
 		cil_log(CIL_ERR, "Invalid file type\n");
 		rc = SEPOL_ERR;
diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h
index 6f1d3cb5..fb2856d6 100644
--- a/libsepol/cil/src/cil_internal.h
+++ b/libsepol/cil/src/cil_internal.h
@@ -730,14 +730,14 @@ struct cil_context {
 };
 
 enum cil_filecon_types {
-	CIL_FILECON_FILE = 1,
+	CIL_FILECON_ANY = 0,
+	CIL_FILECON_FILE,
 	CIL_FILECON_DIR,
 	CIL_FILECON_CHAR,
 	CIL_FILECON_BLOCK,
 	CIL_FILECON_SOCKET,
 	CIL_FILECON_PIPE,
 	CIL_FILECON_SYMLINK,
-	CIL_FILECON_ANY
 };
 
 struct cil_filecon {
diff --git a/libsepol/cil/src/cil_write_ast.c b/libsepol/cil/src/cil_write_ast.c
index d7f00bcc..40effcdc 100644
--- a/libsepol/cil/src/cil_write_ast.c
+++ b/libsepol/cil/src/cil_write_ast.c
@@ -1232,24 +1232,34 @@ void cil_write_ast_node(FILE *out, struct cil_tree_node *node)
 		struct cil_filecon *filecon = node->data;
 		fprintf(out, "(filecon ");
 		fprintf(out, "\"%s\" ", filecon->path_str);
-		if (filecon->type == CIL_FILECON_FILE)
+		switch (filecon->type) {
+		case CIL_FILECON_ANY:
+			fprintf(out, "%s ", CIL_KEY_ANY);
+			break;
+		case CIL_FILECON_FILE:
 			fprintf(out, "%s ", CIL_KEY_FILE);
-		else if (filecon->type == CIL_FILECON_DIR)
+			break;
+		case CIL_FILECON_DIR:
 			fprintf(out, "%s ", CIL_KEY_DIR);
-		else if (filecon->type == CIL_FILECON_CHAR)
+			break;
+		case CIL_FILECON_CHAR:
 			fprintf(out, "%s ", CIL_KEY_CHAR);
-		else if (filecon->type == CIL_FILECON_BLOCK)
+			break;
+		case CIL_FILECON_BLOCK:
 			fprintf(out, "%s ", CIL_KEY_BLOCK);
-		else if (filecon->type == CIL_FILECON_SOCKET)
+			break;
+		case CIL_FILECON_SOCKET:
 			fprintf(out, "%s ", CIL_KEY_SOCKET);
-		else if (filecon->type == CIL_FILECON_PIPE)
+			break;
+		case CIL_FILECON_PIPE:
 			fprintf(out, "%s ", CIL_KEY_PIPE);
-		else if (filecon->type == CIL_FILECON_SYMLINK)
+			break;
+		case CIL_FILECON_SYMLINK:
 			fprintf(out, "%s ", CIL_KEY_SYMLINK);
-		else if (filecon->type == CIL_FILECON_ANY)
-			fprintf(out, "%s ", CIL_KEY_ANY);
-		else
+			break;
+		default:
 			fprintf(out, "<?FILETYPE> ");
+		}
 		if (filecon->context)
 			write_context(out, filecon->context, CIL_TRUE);
 		else if (filecon->context_str)
-- 
2.31.1

[PATCH 3/5 v2] libsepol/cil: Allow optional file type in genfscon rules

[James Carter]

The optional specification of a file type for a genfscon rule to
make it apply only to a specific security class is allowed by
checkpolicy and checkmodule and should be allowed for CIL policies
as well.

Allow an optional file type to be specified for a genfscon rule.
The new syntax:
  (genfscon FSNAME PATH [FILE_TYPE] CONTEXT)

  FSNAME    - The name of the supported filesystem
  PATH      - If FSNAME is proc then this is the partial path,
              othewise this must be "/".
  FILE_TYPE - A single keyword representing the file type.
              file type  security class
                any        Same as not specifying a file type
                file       file
                dir        dir
                char       chr_file
                block      blk_file
                socket     sock_file
                pipe       fifo_file
                symlink    lnk_file
  CONTEXT    - Either a previously declared security context identifier
               or an anonymous security context.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
v2: Initialize file_type field
    Reordered if else block to start with "any"
    Write out file type when writing AST

 libsepol/cil/src/cil.c           |  1 +
 libsepol/cil/src/cil_binary.c    | 37 +++++++++++++++++++++++++++
 libsepol/cil/src/cil_build_ast.c | 43 +++++++++++++++++++++++++++++---
 libsepol/cil/src/cil_internal.h  |  1 +
 libsepol/cil/src/cil_write_ast.c | 27 ++++++++++++++++++++
 5 files changed, 105 insertions(+), 4 deletions(-)

diff --git a/libsepol/cil/src/cil.c b/libsepol/cil/src/cil.c
index a152d689..9916cbee 100644
--- a/libsepol/cil/src/cil.c
+++ b/libsepol/cil/src/cil.c
@@ -2577,6 +2577,7 @@ void cil_genfscon_init(struct cil_genfscon **genfscon)
 
 	(*genfscon)->fs_str = NULL;
 	(*genfscon)->path_str = NULL;
+	(*genfscon)->file_type = CIL_FILECON_ANY;
 	(*genfscon)->context_str = NULL;
 	(*genfscon)->context = NULL;
 }
diff --git a/libsepol/cil/src/cil_binary.c b/libsepol/cil/src/cil_binary.c
index d8aa495a..4ac8ce8d 100644
--- a/libsepol/cil/src/cil_binary.c
+++ b/libsepol/cil/src/cil_binary.c
@@ -3462,6 +3462,43 @@ int cil_genfscon_to_policydb(policydb_t *pdb, struct cil_sort *genfscons)
 
 		new_ocon->u.name = cil_strdup(cil_genfscon->path_str);
 
+		if (cil_genfscon->file_type != CIL_FILECON_ANY) {
+			class_datum_t *class_datum;
+			const char *class_name;
+			switch (cil_genfscon->file_type) {
+			case CIL_FILECON_FILE:
+				class_name = "file";
+				break;
+			case CIL_FILECON_DIR:
+				class_name = "dir";
+				break;
+			case CIL_FILECON_CHAR:
+				class_name = "chr_file";
+				break;
+			case CIL_FILECON_BLOCK:
+				class_name = "blk_file";
+				break;
+			case CIL_FILECON_SOCKET:
+				class_name = "sock_file";
+				break;
+			case CIL_FILECON_PIPE:
+				class_name = "fifo_file";
+				break;
+			case CIL_FILECON_SYMLINK:
+				class_name = "lnk_file";
+				break;
+			default:
+				rc = SEPOL_ERR;
+				goto exit;
+			}
+			class_datum = hashtab_search(pdb->p_classes.table, class_name);
+			if (!class_datum) {
+				rc = SEPOL_ERR;
+				goto exit;
+			}
+			new_ocon->v.sclass = class_datum->s.value;
+		}
+
 		rc = __cil_context_to_sepol_context(pdb, cil_genfscon->context, &new_ocon->context[0]);
 		if (rc != SEPOL_OK) {
 			goto exit;
diff --git a/libsepol/cil/src/cil_build_ast.c b/libsepol/cil/src/cil_build_ast.c
index 6a6f4f33..4a501b8f 100644
--- a/libsepol/cil/src/cil_build_ast.c
+++ b/libsepol/cil/src/cil_build_ast.c
@@ -4572,9 +4572,11 @@ int cil_gen_genfscon(struct cil_db *db, struct cil_tree_node *parse_current, str
 		CIL_SYN_STRING,
 		CIL_SYN_STRING,
 		CIL_SYN_STRING | CIL_SYN_LIST,
+		CIL_SYN_STRING | CIL_SYN_LIST | CIL_SYN_END,
 		CIL_SYN_END
 	};
 	size_t syntax_len = sizeof(syntax)/sizeof(*syntax);
+	struct cil_tree_node *context_node;
 	int rc = SEPOL_ERR;
 	struct cil_genfscon *genfscon = NULL;
 
@@ -4592,15 +4594,48 @@ int cil_gen_genfscon(struct cil_db *db, struct cil_tree_node *parse_current, str
 	genfscon->fs_str = parse_current->next->data;
 	genfscon->path_str = parse_current->next->next->data;
 
-	if (parse_current->next->next->next->cl_head == NULL ) {
-		genfscon->context_str = parse_current->next->next->next->data;
+	if (parse_current->next->next->next->next) {
+		/* (genfscon <FS_STR> <PATH_STR> <FILE_TYPE> ... */
+		char *file_type = parse_current->next->next->next->data;
+		if (file_type == CIL_KEY_ANY) {
+			genfscon->file_type = CIL_FILECON_ANY;
+		} else if (file_type == CIL_KEY_FILE) {
+			genfscon->file_type = CIL_FILECON_FILE;
+		} else if (file_type == CIL_KEY_DIR) {
+			genfscon->file_type = CIL_FILECON_DIR;
+		} else if (file_type == CIL_KEY_CHAR) {
+			genfscon->file_type = CIL_FILECON_CHAR;
+		} else if (file_type == CIL_KEY_BLOCK) {
+			genfscon->file_type = CIL_FILECON_BLOCK;
+		} else if (file_type == CIL_KEY_SOCKET) {
+			genfscon->file_type = CIL_FILECON_SOCKET;
+		} else if (file_type == CIL_KEY_PIPE) {
+			genfscon->file_type = CIL_FILECON_PIPE;
+		} else if (file_type == CIL_KEY_SYMLINK) {
+			genfscon->file_type = CIL_FILECON_SYMLINK;
+		} else {
+			if (parse_current->next->next->next->cl_head) {
+				cil_log(CIL_ERR, "Expecting file type, but found a list\n");
+			} else {
+				cil_log(CIL_ERR, "Invalid file type \"%s\"\n", file_type);
+			}
+			rc = SEPOL_ERR;
+			goto exit;
+		}
+		context_node = parse_current->next->next->next->next;
 	} else {
-		cil_context_init(&genfscon->context);
+		/* (genfscon <FS_STR> <PATH_STR> ... */
+		context_node = parse_current->next->next->next;
+	}
 
-		rc = cil_fill_context(parse_current->next->next->next->cl_head, genfscon->context);
+	if (context_node->cl_head) {
+		cil_context_init(&genfscon->context);
+		rc = cil_fill_context(context_node->cl_head, genfscon->context);
 		if (rc != SEPOL_OK) {
 			goto exit;
 		}
+	} else {
+		genfscon->context_str = context_node->data;
 	}
 
 	ast_node->data = genfscon;
diff --git a/libsepol/cil/src/cil_internal.h b/libsepol/cil/src/cil_internal.h
index fb2856d6..a7604762 100644
--- a/libsepol/cil/src/cil_internal.h
+++ b/libsepol/cil/src/cil_internal.h
@@ -791,6 +791,7 @@ struct cil_ipaddr {
 struct cil_genfscon {
 	char *fs_str;
 	char *path_str;
+	enum cil_filecon_types file_type;
 	char *context_str;
 	struct cil_context *context;
 };
diff --git a/libsepol/cil/src/cil_write_ast.c b/libsepol/cil/src/cil_write_ast.c
index 40effcdc..bebb2670 100644
--- a/libsepol/cil/src/cil_write_ast.c
+++ b/libsepol/cil/src/cil_write_ast.c
@@ -1328,6 +1328,33 @@ void cil_write_ast_node(FILE *out, struct cil_tree_node *node)
 		struct cil_genfscon *genfscon = node->data;
 		fprintf(out, "(genfscon ");
 		fprintf(out, "%s \"%s\" ", genfscon->fs_str, genfscon->path_str);
+		if (genfscon->file_type != CIL_FILECON_ANY) {
+			switch (genfscon->file_type) {
+			case CIL_FILECON_FILE:
+				fprintf(out, "%s ", CIL_KEY_FILE);
+				break;
+			case CIL_FILECON_DIR:
+				fprintf(out, "%s ", CIL_KEY_DIR);
+				break;
+			case CIL_FILECON_CHAR:
+				fprintf(out, "%s ", CIL_KEY_CHAR);
+				break;
+			case CIL_FILECON_BLOCK:
+				fprintf(out, "%s ", CIL_KEY_BLOCK);
+				break;
+			case CIL_FILECON_SOCKET:
+				fprintf(out, "%s ", CIL_KEY_SOCKET);
+				break;
+			case CIL_FILECON_PIPE:
+				fprintf(out, "%s ", CIL_KEY_PIPE);
+				break;
+			case CIL_FILECON_SYMLINK:
+				fprintf(out, "%s ", CIL_KEY_SYMLINK);
+				break;
+			default:
+				fprintf(out, "<?FILETYPE> ");
+			}
+		}
 		if (genfscon->context)
 			write_context(out, genfscon->context, CIL_TRUE);
 		else
-- 
2.31.1

[PATCH 4/5 v2] secilc/docs: Document the optional file type for genfscon rules

[James Carter]

Update the CIL documentation to include the optional file type for
genfscon rules.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
v2: No changes

 secilc/docs/cil_file_labeling_statements.md | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/secilc/docs/cil_file_labeling_statements.md b/secilc/docs/cil_file_labeling_statements.md
index ed7b7bf9..73f73885 100644
--- a/secilc/docs/cil_file_labeling_statements.md
+++ b/secilc/docs/cil_file_labeling_statements.md
@@ -36,11 +36,13 @@ Define entries for labeling files. The compiler will produce these entries in a
 <col width="44%" />
 <col width="55%" />
 </colgroup>
-<tbody>
+<thead>
 <tr class="odd">
 <td align="left"><p><strong>keyword</strong></p></td>
 <td align="left"><p><strong>file_contexts entry</strong></p></td>
 </tr>
+</thead>
+<tbody>
 <tr class="even">
 <td align="left"><p><code>file</code></p></td>
 <td align="left"><p><code>--</code></p></td>
@@ -185,7 +187,7 @@ Used to allocate a security context to filesystems that cannot support any of th
 **Statement definition:**
 
 ```secil
-    (genfscon fsname path context_id)
+    (genfscon fsname path [file_type] context_id)
 ```
 
 **Where:**
@@ -209,6 +211,10 @@ Used to allocate a security context to filesystems that cannot support any of th
 <td align="left"><p>If <code>fsname</code> is <code>proc</code>, then the partial path (see examples). For all other types this must be ‘<code>/</code>’.</p></td>
 </tr>
 <tr class="even">
+<td align="left"><p><code>file_type</code></p></td>
+<td align="left"><p>Optional keyword representing a file type. Valid values are the same as in [`filecon`](cil_file_labeling_statements.md#filecon) rules.</p></td>
+</tr>
+<tr class="odd">
 <td align="left"><p><code>context_id</code></p></td>
 <td align="left"><p>A previously declared <code>context</code> identifier or an anonymous security context (<code>user role type levelrange</code>), the range MUST be defined whether the policy is MLS/MCS enabled or not.</p></td>
 </tr>
-- 
2.31.1

[PATCH 5/5] libsepol: Write out genfscon file type when writing out CIL policy

[James Carter]

With an optional file type being added to CIL genfscon rules, it
should be used when writing out a kernel policy or module to CIL
when a genfscon rule should only apply to a single security class.

Signed-off-by: James Carter <jwcart2@gmail.com>
---
v2: Reordered if else blocks to have consistent ordering.

 libsepol/src/kernel_to_cil.c | 35 +++++++++++++++++++++++++++++++++--
 libsepol/src/module_to_cil.c | 27 ++++++++++++++++++++++++++-
 2 files changed, 59 insertions(+), 3 deletions(-)

diff --git a/libsepol/src/kernel_to_cil.c b/libsepol/src/kernel_to_cil.c
index 305567a5..ad92a7bc 100644
--- a/libsepol/src/kernel_to_cil.c
+++ b/libsepol/src/kernel_to_cil.c
@@ -2640,6 +2640,8 @@ static int write_genfscon_rules_to_cil(FILE *out, struct policydb *pdb)
 	struct ocontext *ocon;
 	struct strs *strs;
 	char *fstype, *name, *ctx;
+	uint32_t sclass;
+	const char *file_type;
 	int rc;
 
 	rc = strs_init(&strs, 32);
@@ -2652,14 +2654,43 @@ static int write_genfscon_rules_to_cil(FILE *out, struct policydb *pdb)
 			fstype = genfs->fstype;
 			name = ocon->u.name;
 
+			sclass = ocon->v.sclass;
+			file_type = NULL;
+			if (sclass) {
+				const char *class_name = pdb->p_class_val_to_name[sclass-1];
+				if (strcmp(class_name, "file") == 0) {
+					file_type = "file";
+				} else if (strcmp(class_name, "dir") == 0) {
+					file_type = "dir";
+				} else if (strcmp(class_name, "chr_file") == 0) {
+					file_type = "char";
+				} else if (strcmp(class_name, "blk_file") == 0) {
+					file_type = "block";
+				} else if (strcmp(class_name, "sock_file") == 0) {
+					file_type = "socket";
+				} else if (strcmp(class_name, "fifo_file") == 0) {
+					file_type = "pipe";
+				} else if (strcmp(class_name, "lnk_file") == 0) {
+					file_type = "symlink";
+				} else {
+					rc = -1;
+					goto exit;
+				}
+			}
+
 			ctx = context_to_str(pdb, &ocon->context[0]);
 			if (!ctx) {
 				rc = -1;
 				goto exit;
 			}
 
-			rc = strs_create_and_add(strs, "(genfscon %s \"%s\" %s)", 3,
-						 fstype, name, ctx);
+			if (file_type) {
+				rc = strs_create_and_add(strs, "(genfscon %s \"%s\" %s %s)", 4,
+										 fstype, name, file_type, ctx);
+			} else {
+				rc = strs_create_and_add(strs, "(genfscon %s \"%s\" %s)", 3,
+										 fstype, name, ctx);
+			}
 			free(ctx);
 			if (rc != 0) {
 				goto exit;
diff --git a/libsepol/src/module_to_cil.c b/libsepol/src/module_to_cil.c
index 16e4004e..c80937e8 100644
--- a/libsepol/src/module_to_cil.c
+++ b/libsepol/src/module_to_cil.c
@@ -2961,10 +2961,35 @@ static int genfscon_to_cil(struct policydb *pdb)
 {
 	struct genfs *genfs;
 	struct ocontext *ocon;
+	uint32_t sclass;
 
 	for (genfs = pdb->genfs; genfs != NULL; genfs = genfs->next) {
 		for (ocon = genfs->head; ocon != NULL; ocon = ocon->next) {
-			cil_printf("(genfscon %s \"%s\" ", genfs->fstype, ocon->u.name);
+			sclass = ocon->v.sclass;
+			if (sclass) {
+				const char *file_type;
+				const char *class_name = pdb->p_class_val_to_name[sclass-1];
+				if (strcmp(class_name, "file") == 0) {
+					file_type = "file";
+				} else if (strcmp(class_name, "dir") == 0) {
+					file_type = "dir";
+				} else if (strcmp(class_name, "chr_file") == 0) {
+					file_type = "char";
+				} else if (strcmp(class_name, "blk_file") == 0) {
+					file_type = "block";
+				} else if (strcmp(class_name, "sock_file") == 0) {
+					file_type = "socket";
+				} else if (strcmp(class_name, "fifo_file") == 0) {
+					file_type = "pipe";
+				} else if (strcmp(class_name, "lnk_file") == 0) {
+					file_type = "symlink";
+				} else {
+					return -1;
+				}
+				cil_printf("(genfscon %s \"%s\" %s ", genfs->fstype, ocon->u.name, file_type);
+			} else {
+				cil_printf("(genfscon %s \"%s\" ", genfs->fstype, ocon->u.name);
+			}
 			context_to_cil(pdb, &ocon->context[0]);
 			cil_printf(")\n");
 		}
-- 
2.31.1

Re: [PATCH 1/5 v2] libsepol: Add support for file types in writing out policy.conf

[James Carter]

On Tue, Dec 7, 2021 at 1:31 PM Stephen Smalley
<stephen.smalley.work@gmail.com> wrote:
>
> On Wed, Nov 10, 2021 at 9:47 AM James Carter <jwcart2@gmail.com> wrote:
>>
>> Although rarely used, genfscon rules support the specification of a
>> file type just like the rules in a file context file. The file type
>> is used to make the genfscon rule apply only for a specific security
>> class. Currently, when writing out a policy.conf file from a kernel
>> policy, it is assumed that every genfscon rule applies to all security
>> classes and no file type will be added to the genfscon rule.
>>
>> Write out the appropriate file type if the genfscon rule is only for
>> a specific security class (file, dir, blk_file, chr_file, fifo_file,
>> lnk_file, or sock_file).
>>
>> Signed-off-by: James Carter <jwcart2@gmail.com>
>
>
> Acked-by: Stephen Smalley <stephen.smalley.work@gmail.com>

This series was merged.
Jim